Get Mbed TLS to build

This change configures Mbed TLS to support the fewest number of things possible required to run an HTTPS server that caters to the sweet spot of being legacy enough to support the vast majority of user agents but modern enough that Chrome and Firefox remain happy. That should entail - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_128_CBC_SHA Even though other suites still get included so what usually happens in practice is ECDHE-RSA-AES256-GCM-SHA384 under TLS 1.2 will be selected and the binary footprint is reasonable, and should cost us about 200kb
2025-10-06 22:47:20 +00:00 · 2021-06-15 19:52:02 -07:00 · 2021-06-15 19:52:02 -07:00 · d0ac995dc0
commit d0ac995dc0
parent 19bd27358a
204 changed files with 1698 additions and 1490 deletions
--- a/third_party/mbedtls/library/aes.c
+++ b/third_party/mbedtls/library/aes.c
@ -1,3 +1,4 @@
+/* clang-format off */
 /*
 *  FIPS-197 compliant AES implementation
 *
@ -23,28 +24,27 @@
 *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
 */

-#include "common.h"
+#include "libc/nexgen32e/x86feature.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_AES_C)

-#include <string.h>

-#include "mbedtls/aes.h"
-#include "mbedtls/platform.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
 #if defined(MBEDTLS_PADLOCK_C)
-#include "mbedtls/padlock.h"
+#include "third_party/mbedtls/include/mbedtls/padlock.h"
 #endif
 #if defined(MBEDTLS_AESNI_C)
-#include "mbedtls/aesni.h"
+#include "third_party/mbedtls/include/mbedtls/aesni.h"
 #endif

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
@ -584,7 +584,7 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
    ctx->rk = RK = ctx->buf;

 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
-    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+    if( X86_HAVE( AES ) )
        return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
 #endif

@ -694,7 +694,7 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
    ctx->nr = cty.nr;

 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
-    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+    if( X86_HAVE( AES ) )
    {
        mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
                           (const unsigned char *) cty.rk, ctx->nr );
@ -1018,7 +1018,7 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
                      mode == MBEDTLS_AES_DECRYPT );

 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
-    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+    if( X86_HAVE( AES ) )
        return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
 #endif

--- a/third_party/mbedtls/library/aesni.c
+++ b/third_party/mbedtls/library/aesni.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  AES-NI support functions
 *
@ -22,7 +24,8 @@
 * [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_AESNI_C)

@ -32,9 +35,8 @@
 #endif
 #endif

-#include "mbedtls/aesni.h"
+#include "third_party/mbedtls/include/mbedtls/aesni.h"

-#include <string.h>

 #ifndef asm
 #define asm __asm
@ -42,27 +44,6 @@

 #if defined(MBEDTLS_HAVE_X86_64)

-/*
- * AES-NI support detection routine
- */
-int mbedtls_aesni_has_support( unsigned int what )
-{
-    static int done = 0;
-    static unsigned int c = 0;
-
-    if( ! done )
-    {
-        asm( "movl  $1, %%eax   \n\t"
-             "cpuid             \n\t"
-             : "=c" (c)
-             :
-             : "eax", "ebx", "edx" );
-        done = 1;
-    }
-
-    return( ( c & what ) != 0 );
-}
-
 /*
 * Binutils needs to be at least 2.19 to support AES-NI instructions.
 * Unfortunately, a lot of users have a lower version now (2014-04).
--- a/third_party/mbedtls/library/arc4.c
+++ b/third_party/mbedtls/library/arc4.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  An implementation of the ARCFOUR algorithm
 *
@ -22,20 +24,18 @@
 *  http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_ARC4_C)

-#include "mbedtls/arc4.h"
-#include "mbedtls/platform_util.h"
-
-#include <string.h>
+#include "third_party/mbedtls/include/mbedtls/arc4.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/aria.c
+++ b/third_party/mbedtls/library/aria.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  ARIA implementation
 *
@ -23,26 +25,24 @@
 * [2] https://tools.ietf.org/html/rfc5794
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_ARIA_C)

-#include "mbedtls/aria.h"
+#include "third_party/mbedtls/include/mbedtls/aria.h"

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */

 #if !defined(MBEDTLS_ARIA_ALT)

-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
    !defined(inline) && !defined(__cplusplus)
--- a/third_party/mbedtls/library/asn1parse.c
+++ b/third_party/mbedtls/library/asn1parse.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Generic ASN.1 parsing
 *
@ -17,24 +19,22 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_ASN1_PARSE_C)

-#include "mbedtls/asn1.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif
--- a/third_party/mbedtls/library/asn1write.c
+++ b/third_party/mbedtls/library/asn1write.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 * ASN.1 buffer writing functionality
 *
@ -17,19 +19,17 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_ASN1_WRITE_C)

-#include "mbedtls/asn1write.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/asn1write.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif
--- a/third_party/mbedtls/library/base64.c
+++ b/third_party/mbedtls/library/base64.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  RFC 1521 base64 encoding/decoding
 *
@ -17,20 +19,17 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_BASE64_C)

-#include "mbedtls/base64.h"
+#include "third_party/mbedtls/include/mbedtls/base64.h"

-#include <stdint.h>

 #if defined(MBEDTLS_SELF_TEST)
-#include <string.h>
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/bignum.c
+++ b/third_party/mbedtls/library/bignum.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Multi-precision integer library
 *
@ -33,22 +35,19 @@
 *
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_BIGNUM_C)

-#include "mbedtls/bignum.h"
-#include "mbedtls/bn_mul.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bn_mul.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
-#include <stdlib.h>
 #define mbedtls_printf     printf
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
--- a/third_party/mbedtls/library/blowfish.c
+++ b/third_party/mbedtls/library/blowfish.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Blowfish implementation
 *
@ -23,14 +25,14 @@
 *
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_BLOWFISH_C)

-#include "mbedtls/blowfish.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/blowfish.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

-#include <string.h>

 #if !defined(MBEDTLS_BLOWFISH_ALT)

--- a/third_party/mbedtls/library/camellia.c
+++ b/third_party/mbedtls/library/camellia.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Camellia implementation
 *
@ -23,20 +25,18 @@
 *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_CAMELLIA_C)

-#include "mbedtls/camellia.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/camellia.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/ccm.c
+++ b/third_party/mbedtls/library/ccm.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  NIST SP800-38C compliant CCM implementation
 *
@ -26,21 +28,18 @@
 * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_CCM_C)

-#include "mbedtls/ccm.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
+#include "third_party/mbedtls/include/mbedtls/ccm.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
--- a/third_party/mbedtls/library/certs.c
+++ b/third_party/mbedtls/library/certs.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  X.509 test certificates
 *
@ -17,9 +19,9 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

-#include "mbedtls/certs.h"
+#include "third_party/mbedtls/include/mbedtls/certs.h"

 #if defined(MBEDTLS_CERTS_C)

--- a/third_party/mbedtls/library/chacha20.c
+++ b/third_party/mbedtls/library/chacha20.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file chacha20.c
 *
@ -21,22 +23,19 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_CHACHA20_C)

-#include "mbedtls/chacha20.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/chacha20.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <stddef.h>
-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/chachapoly.c
+++ b/third_party/mbedtls/library/chachapoly.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file chachapoly.c
 *
@ -18,21 +20,19 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_CHACHAPOLY_C)

-#include "mbedtls/chachapoly.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/chachapoly.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/check_crypto_config.h
+++ b/third_party/mbedtls/library/check_crypto_config.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file check_crypto_config.h
 *
--- a/third_party/mbedtls/library/cipher.c
+++ b/third_party/mbedtls/library/cipher.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file cipher.c
 *
@ -21,49 +23,48 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_CIPHER_C)

-#include "mbedtls/cipher.h"
-#include "mbedtls/cipher_internal.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/psa/sheesh.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher_internal.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <stdlib.h>
-#include <string.h>

 #if defined(MBEDTLS_CHACHAPOLY_C)
-#include "mbedtls/chachapoly.h"
+#include "third_party/mbedtls/include/mbedtls/chachapoly.h"
 #endif

 #if defined(MBEDTLS_GCM_C)
-#include "mbedtls/gcm.h"
+#include "third_party/mbedtls/include/mbedtls/gcm.h"
 #endif

 #if defined(MBEDTLS_CCM_C)
-#include "mbedtls/ccm.h"
+#include "third_party/mbedtls/include/mbedtls/ccm.h"
 #endif

 #if defined(MBEDTLS_CHACHA20_C)
-#include "mbedtls/chacha20.h"
+#include "third_party/mbedtls/include/mbedtls/chacha20.h"
 #endif

 #if defined(MBEDTLS_CMAC_C)
-#include "mbedtls/cmac.h"
+#include "third_party/mbedtls/include/mbedtls/cmac.h"
 #endif

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#include "mbedtls/psa_util.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/include/mbedtls/psa_util.h"
 #endif /* MBEDTLS_USE_PSA_CRYPTO */

 #if defined(MBEDTLS_NIST_KW_C)
-#include "mbedtls/nist_kw.h"
+#include "third_party/mbedtls/include/mbedtls/nist_kw.h"
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
 #define mbedtls_calloc calloc
 #define mbedtls_free   free
--- a/third_party/mbedtls/library/cipher_wrap.c
+++ b/third_party/mbedtls/library/cipher_wrap.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file cipher_wrap.c
 *
@ -21,65 +23,63 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_CIPHER_C)

-#include "mbedtls/cipher_internal.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/cipher_internal.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(MBEDTLS_CHACHAPOLY_C)
-#include "mbedtls/chachapoly.h"
+#include "third_party/mbedtls/include/mbedtls/chachapoly.h"
 #endif

 #if defined(MBEDTLS_AES_C)
-#include "mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
 #endif

 #if defined(MBEDTLS_ARC4_C)
-#include "mbedtls/arc4.h"
+#include "third_party/mbedtls/include/mbedtls/arc4.h"
 #endif

 #if defined(MBEDTLS_CAMELLIA_C)
-#include "mbedtls/camellia.h"
+#include "third_party/mbedtls/include/mbedtls/camellia.h"
 #endif

 #if defined(MBEDTLS_ARIA_C)
-#include "mbedtls/aria.h"
+#include "third_party/mbedtls/include/mbedtls/aria.h"
 #endif

 #if defined(MBEDTLS_DES_C)
-#include "mbedtls/des.h"
+#include "third_party/mbedtls/include/mbedtls/des.h"
 #endif

 #if defined(MBEDTLS_BLOWFISH_C)
-#include "mbedtls/blowfish.h"
+#include "third_party/mbedtls/include/mbedtls/blowfish.h"
 #endif

 #if defined(MBEDTLS_CHACHA20_C)
-#include "mbedtls/chacha20.h"
+#include "third_party/mbedtls/include/mbedtls/chacha20.h"
 #endif

 #if defined(MBEDTLS_GCM_C)
-#include "mbedtls/gcm.h"
+#include "third_party/mbedtls/include/mbedtls/gcm.h"
 #endif

 #if defined(MBEDTLS_CCM_C)
-#include "mbedtls/ccm.h"
+#include "third_party/mbedtls/include/mbedtls/ccm.h"
 #endif

 #if defined(MBEDTLS_NIST_KW_C)
-#include "mbedtls/nist_kw.h"
+#include "third_party/mbedtls/include/mbedtls/nist_kw.h"
 #endif

 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-#include <string.h>
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif
--- a/third_party/mbedtls/library/cmac.c
+++ b/third_party/mbedtls/library/cmac.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file cmac.c
 *
@ -38,16 +40,15 @@
 *
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_CMAC_C)

-#include "mbedtls/cmac.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/cmac.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"

-#include <string.h>

 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)

--- a/third_party/mbedtls/library/common.h
+++ b/third_party/mbedtls/library/common.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file common.h
 *
@ -26,7 +28,7 @@
 #if defined(MBEDTLS_CONFIG_FILE)
 #include MBEDTLS_CONFIG_FILE
 #else
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #endif

 /** Helper to define a function as static except when building invasive tests.
--- a/third_party/mbedtls/library/ctr_drbg.c
+++ b/third_party/mbedtls/library/ctr_drbg.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
 *
@ -22,25 +24,20 @@
 *  http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "libc/stdio/stdio.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_CTR_DRBG_C)

-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
-#endif
+#include "third_party/mbedtls/include/mbedtls/ctr_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/debug.c
+++ b/third_party/mbedtls/library/debug.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Debugging routines
 *
@ -17,14 +19,13 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_DEBUG_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc      calloc
 #define mbedtls_free        free
 #define mbedtls_time_t      time_t
@ -32,12 +33,8 @@
 #define mbedtls_vsnprintf   vsnprintf
 #endif

-#include "mbedtls/debug.h"
-#include "mbedtls/error.h"
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
+#include "third_party/mbedtls/include/mbedtls/debug.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
    !defined(inline) && !defined(__cplusplus)
--- a/third_party/mbedtls/library/des.c
+++ b/third_party/mbedtls/library/des.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  FIPS-46-3 compliant Triple-DES implementation
 *
@ -23,20 +25,17 @@
 *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_DES_C)

-#include "mbedtls/des.h"
-#include "mbedtls/platform_util.h"
-
-#include <string.h>
+#include "third_party/mbedtls/include/mbedtls/des.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/dhm.c
+++ b/third_party/mbedtls/library/dhm.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Diffie-Hellman-Merkle key exchange
 *
@ -25,29 +27,27 @@
 *
 */

-#include "common.h"
+#include "libc/calls/calls.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_DHM_C)

-#include "mbedtls/dhm.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/dhm.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_PEM_PARSE_C)
-#include "mbedtls/pem.h"
+#include "third_party/mbedtls/include/mbedtls/pem.h"
 #endif

 #if defined(MBEDTLS_ASN1_PARSE_C)
-#include "mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
-#include <stdio.h>
 #define mbedtls_printf     printf
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
--- a/third_party/mbedtls/library/ecdh.c
+++ b/third_party/mbedtls/library/ecdh.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Elliptic curve Diffie-Hellman
 *
@ -24,15 +26,14 @@
 * RFC 4492
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_ECDH_C)

-#include "mbedtls/ecdh.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/ecdh.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 /* Parameter validation macros based on platform_util.h */
 #define ECDH_VALIDATE_RET( cond )    \
--- a/third_party/mbedtls/library/ecdsa.c
+++ b/third_party/mbedtls/library/ecdsa.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Elliptic curve DSA
 *
@ -23,29 +25,27 @@
 * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_ECDSA_C)

-#include "mbedtls/ecdsa.h"
-#include "mbedtls/asn1write.h"
+#include "third_party/mbedtls/include/mbedtls/ecdsa.h"
+#include "third_party/mbedtls/include/mbedtls/asn1write.h"

-#include <string.h>

 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-#include "mbedtls/hmac_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/hmac_drbg.h"
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif

-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 /* Parameter validation macros based on platform_util.h */
 #define ECDSA_VALIDATE_RET( cond )    \
--- a/third_party/mbedtls/library/ecjpake.c
+++ b/third_party/mbedtls/library/ecjpake.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Elliptic curve J-PAKE
 *
@ -22,15 +24,14 @@
 * available to members of the Thread Group http://threadgroup.org/
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_ECJPAKE_C)

-#include "mbedtls/ecjpake.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/ecjpake.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if !defined(MBEDTLS_ECJPAKE_ALT)

@ -800,9 +801,8 @@ cleanup:
 #if defined(MBEDTLS_SELF_TEST)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf     printf
 #endif

--- a/third_party/mbedtls/library/ecp.c
+++ b/third_party/mbedtls/library/ecp.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Elliptic curves over GF(p): generic functions
 *
@ -39,7 +41,7 @@
 *     <http://eprint.iacr.org/2004/342.pdf>
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 /**
 * \brief Function level alternative implementation.
@ -72,12 +74,11 @@

 #if defined(MBEDTLS_ECP_C)

-#include "mbedtls/ecp.h"
-#include "mbedtls/threading.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if !defined(MBEDTLS_ECP_ALT)

@ -88,22 +89,20 @@
    MBEDTLS_INTERNAL_VALIDATE( cond )

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
-#include <stdio.h>
 #define mbedtls_printf     printf
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif

-#include "mbedtls/ecp_internal.h"
+#include "third_party/mbedtls/include/mbedtls/ecp_internal.h"

 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
 #if defined(MBEDTLS_HMAC_DRBG_C)
-#include "mbedtls/hmac_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/hmac_drbg.h"
 #elif defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/ctr_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/ctr_drbg.h"
 #else
 #error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
 #endif
--- a/third_party/mbedtls/library/ecp_curves.c
+++ b/third_party/mbedtls/library/ecp_curves.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Elliptic curves over GF(p): curve-specific data and functions
 *
@ -17,15 +19,14 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_ECP_C)

-#include "mbedtls/ecp.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if !defined(MBEDTLS_ECP_ALT)

--- a/third_party/mbedtls/library/entropy.c
+++ b/third_party/mbedtls/library/entropy.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Entropy accumulator implementation
 *
@ -17,7 +19,9 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "libc/calls/calls.h"
+#include "libc/stdio/stdio.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_ENTROPY_C)

@ -27,32 +31,29 @@
 #warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE "
 #endif

-#include "mbedtls/entropy.h"
-#include "mbedtls/entropy_poll.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/entropy.h"
+#include "third_party/mbedtls/include/mbedtls/entropy_poll.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
 #endif

 #if defined(MBEDTLS_ENTROPY_NV_SEED)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #endif

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf     printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */

 #if defined(MBEDTLS_HAVEGE_C)
-#include "mbedtls/havege.h"
+#include "third_party/mbedtls/include/mbedtls/havege.h"
 #endif

 #define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
--- a/third_party/mbedtls/library/entropy_poll.c
+++ b/third_party/mbedtls/library/entropy_poll.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Platform-specific and custom entropy polling functions
 *
@ -22,24 +24,24 @@
 #define _GNU_SOURCE
 #endif

-#include "common.h"
+#include "libc/stdio/stdio.h"
+#include "third_party/mbedtls/library/common.h"

-#include <string.h>

 #if defined(MBEDTLS_ENTROPY_C)

-#include "mbedtls/entropy.h"
-#include "mbedtls/entropy_poll.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/entropy.h"
+#include "third_party/mbedtls/include/mbedtls/entropy_poll.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(MBEDTLS_TIMING_C)
-#include "mbedtls/timing.h"
+#include "third_party/mbedtls/include/mbedtls/timing.h"
 #endif
 #if defined(MBEDTLS_HAVEGE_C)
-#include "mbedtls/havege.h"
+#include "third_party/mbedtls/include/mbedtls/havege.h"
 #endif
 #if defined(MBEDTLS_ENTROPY_NV_SEED)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #endif

 #if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
@ -55,8 +57,6 @@
 #if !defined(_WIN32_WINNT)
 #define _WIN32_WINNT 0x0400
 #endif
-#include <windows.h>
-#include <wincrypt.h>

 int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len,
                           size_t *olen )
@ -90,11 +90,8 @@ int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len
 * available in GNU libc and compatible libc's (eg uClibc).
 */
 #if ((defined(__linux__) && defined(__GLIBC__)) || defined(__midipix__))
-#include <unistd.h>
-#include <sys/syscall.h>
 #if defined(SYS_getrandom)
 #define HAVE_GETRANDOM
-#include <errno.h>

 static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
 {
@ -110,11 +107,8 @@ static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
 #endif /* __linux__ || __midipix__ */

 #if defined(__FreeBSD__) || defined(__DragonFly__)
-#include <sys/param.h>
 #if (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || \
    (defined(__DragonFly__) && __DragonFly_version >= 500700)
-#include <errno.h>
-#include <sys/random.h>
 #define HAVE_GETRANDOM
 static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
 {
@ -133,8 +127,6 @@ static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
 * Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
 */
 #if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
-#include <sys/param.h>
-#include <sys/sysctl.h>
 #if defined(KERN_ARND)
 #define HAVE_SYSCTL_ARND

@ -159,7 +151,6 @@ static int sysctl_arnd_wrapper( unsigned char *buf, size_t buflen )
 #endif /* KERN_ARND */
 #endif /* __FreeBSD__ || __NetBSD__ */

-#include <stdio.h>

 int mbedtls_platform_entropy_poll( void *data,
                           unsigned char *output, size_t len, size_t *olen )
--- a/third_party/mbedtls/library/error.c
+++ b/third_party/mbedtls/library/error.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Error message information
 *
@ -17,197 +19,194 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(MBEDTLS_ERROR_C) || defined(MBEDTLS_ERROR_STRERROR_DUMMY)

 #if defined(MBEDTLS_ERROR_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
 #define mbedtls_snprintf snprintf
 #endif

-#include <stdio.h>
-#include <string.h>
-
 #if defined(MBEDTLS_AES_C)
-#include "mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
 #endif

 #if defined(MBEDTLS_ARC4_C)
-#include "mbedtls/arc4.h"
+#include "third_party/mbedtls/include/mbedtls/arc4.h"
 #endif

 #if defined(MBEDTLS_ARIA_C)
-#include "mbedtls/aria.h"
+#include "third_party/mbedtls/include/mbedtls/aria.h"
 #endif

 #if defined(MBEDTLS_ASN1_PARSE_C)
-#include "mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
 #endif

 #if defined(MBEDTLS_BASE64_C)
-#include "mbedtls/base64.h"
+#include "third_party/mbedtls/include/mbedtls/base64.h"
 #endif

 #if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
 #endif

 #if defined(MBEDTLS_BLOWFISH_C)
-#include "mbedtls/blowfish.h"
+#include "third_party/mbedtls/include/mbedtls/blowfish.h"
 #endif

 #if defined(MBEDTLS_CAMELLIA_C)
-#include "mbedtls/camellia.h"
+#include "third_party/mbedtls/include/mbedtls/camellia.h"
 #endif

 #if defined(MBEDTLS_CCM_C)
-#include "mbedtls/ccm.h"
+#include "third_party/mbedtls/include/mbedtls/ccm.h"
 #endif

 #if defined(MBEDTLS_CHACHA20_C)
-#include "mbedtls/chacha20.h"
+#include "third_party/mbedtls/include/mbedtls/chacha20.h"
 #endif

 #if defined(MBEDTLS_CHACHAPOLY_C)
-#include "mbedtls/chachapoly.h"
+#include "third_party/mbedtls/include/mbedtls/chachapoly.h"
 #endif

 #if defined(MBEDTLS_CIPHER_C)
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #endif

 #if defined(MBEDTLS_CMAC_C)
-#include "mbedtls/cmac.h"
+#include "third_party/mbedtls/include/mbedtls/cmac.h"
 #endif

 #if defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/ctr_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/ctr_drbg.h"
 #endif

 #if defined(MBEDTLS_DES_C)
-#include "mbedtls/des.h"
+#include "third_party/mbedtls/include/mbedtls/des.h"
 #endif

 #if defined(MBEDTLS_DHM_C)
-#include "mbedtls/dhm.h"
+#include "third_party/mbedtls/include/mbedtls/dhm.h"
 #endif

 #if defined(MBEDTLS_ECP_C)
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
 #endif

 #if defined(MBEDTLS_ENTROPY_C)
-#include "mbedtls/entropy.h"
+#include "third_party/mbedtls/include/mbedtls/entropy.h"
 #endif

 #if defined(MBEDTLS_ERROR_C)
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
 #endif

 #if defined(MBEDTLS_GCM_C)
-#include "mbedtls/gcm.h"
+#include "third_party/mbedtls/include/mbedtls/gcm.h"
 #endif

 #if defined(MBEDTLS_HKDF_C)
-#include "mbedtls/hkdf.h"
+#include "third_party/mbedtls/include/mbedtls/hkdf.h"
 #endif

 #if defined(MBEDTLS_HMAC_DRBG_C)
-#include "mbedtls/hmac_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/hmac_drbg.h"
 #endif

 #if defined(MBEDTLS_MD_C)
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #endif

 #if defined(MBEDTLS_MD2_C)
-#include "mbedtls/md2.h"
+#include "third_party/mbedtls/include/mbedtls/md2.h"
 #endif

 #if defined(MBEDTLS_MD4_C)
-#include "mbedtls/md4.h"
+#include "third_party/mbedtls/include/mbedtls/md4.h"
 #endif

 #if defined(MBEDTLS_MD5_C)
-#include "mbedtls/md5.h"
+#include "third_party/mbedtls/include/mbedtls/md5.h"
 #endif

 #if defined(MBEDTLS_NET_C)
-#include "mbedtls/net_sockets.h"
+#include "third_party/mbedtls/include/mbedtls/net_sockets.h"
 #endif

 #if defined(MBEDTLS_OID_C)
-#include "mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
 #endif

 #if defined(MBEDTLS_PADLOCK_C)
-#include "mbedtls/padlock.h"
+#include "third_party/mbedtls/include/mbedtls/padlock.h"
 #endif

 #if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
-#include "mbedtls/pem.h"
+#include "third_party/mbedtls/include/mbedtls/pem.h"
 #endif

 #if defined(MBEDTLS_PK_C)
-#include "mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
 #endif

 #if defined(MBEDTLS_PKCS12_C)
-#include "mbedtls/pkcs12.h"
+#include "third_party/mbedtls/include/mbedtls/pkcs12.h"
 #endif

 #if defined(MBEDTLS_PKCS5_C)
-#include "mbedtls/pkcs5.h"
+#include "third_party/mbedtls/include/mbedtls/pkcs5.h"
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #endif

 #if defined(MBEDTLS_POLY1305_C)
-#include "mbedtls/poly1305.h"
+#include "third_party/mbedtls/include/mbedtls/poly1305.h"
 #endif

 #if defined(MBEDTLS_RIPEMD160_C)
-#include "mbedtls/ripemd160.h"
+#include "third_party/mbedtls/include/mbedtls/ripemd160.h"
 #endif

 #if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
 #endif

 #if defined(MBEDTLS_SHA1_C)
-#include "mbedtls/sha1.h"
+#include "third_party/mbedtls/include/mbedtls/sha1.h"
 #endif

 #if defined(MBEDTLS_SHA256_C)
-#include "mbedtls/sha256.h"
+#include "third_party/mbedtls/include/mbedtls/sha256.h"
 #endif

 #if defined(MBEDTLS_SHA512_C)
-#include "mbedtls/sha512.h"
+#include "third_party/mbedtls/include/mbedtls/sha512.h"
 #endif

 #if defined(MBEDTLS_SSL_TLS_C)
-#include "mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
 #endif

 #if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
 #endif

 #if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
-#include "mbedtls/x509.h"
+#include "third_party/mbedtls/include/mbedtls/x509.h"
 #endif

 #if defined(MBEDTLS_XTEA_C)
-#include "mbedtls/xtea.h"
+#include "third_party/mbedtls/include/mbedtls/xtea.h"
 #endif


--- a/third_party/mbedtls/library/gcm.c
+++ b/third_party/mbedtls/library/gcm.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  NIST SP800-38D compliant GCM implementation
 *
@ -27,25 +29,25 @@
 * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "libc/nexgen32e/x86feature.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_GCM_C)

-#include "mbedtls/gcm.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/gcm.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_AESNI_C)
-#include "mbedtls/aesni.h"
+#include "third_party/mbedtls/include/mbedtls/aesni.h"
 #endif

 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
-#include "mbedtls/aes.h"
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #if !defined(MBEDTLS_PLATFORM_C)
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
@ -125,7 +127,7 @@ static int gcm_gen_table( mbedtls_gcm_context *ctx )

 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
    /* With CLMUL support, we need only h, not the rest of the table */
-    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) )
+    if( X86_HAVE( PCLMUL ) )
        return( 0 );
 #endif

@ -220,7 +222,7 @@ static void gcm_mult( mbedtls_gcm_context *ctx, const unsigned char x[16],
    uint64_t zh, zl;

 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
-    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) ) {
+    if( X86_HAVE( PCLMUL ) ) {
        unsigned char h[16];

        PUT_UINT32_BE( ctx->HH[8] >> 32, h,  0 );
--- a/third_party/mbedtls/library/havege.c
+++ b/third_party/mbedtls/library/havege.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 *  \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
 *
@ -24,16 +26,13 @@
 *  Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_HAVEGE_C)

-#include "mbedtls/havege.h"
-#include "mbedtls/timing.h"
-#include "mbedtls/platform_util.h"
-
-#include <stdint.h>
-#include <string.h>
+#include "third_party/mbedtls/include/mbedtls/havege.h"
+#include "third_party/mbedtls/include/mbedtls/timing.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

 /* ------------------------------------------------------------------------
 * On average, one iteration accesses two 8-word blocks in the havege WALK
--- a/third_party/mbedtls/library/hkdf.c
+++ b/third_party/mbedtls/library/hkdf.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  HKDF implementation -- RFC 5869
 *
@ -16,14 +18,14 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
-#include "common.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_HKDF_C)

-#include <string.h>
-#include "mbedtls/hkdf.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/hkdf.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
--- a/third_party/mbedtls/library/hmac_drbg.c
+++ b/third_party/mbedtls/library/hmac_drbg.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  HMAC_DRBG implementation (NIST SP 800-90)
 *
@ -23,25 +25,24 @@
 *  References below are based on rev. 1 (January 2012).
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "libc/stdio/stdio.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_HMAC_DRBG_C)

-#include "mbedtls/hmac_drbg.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/hmac_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
 #endif

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_SELF_TEST */
 #endif /* MBEDTLS_PLATFORM_C */
--- a/third_party/mbedtls/library/md.c
+++ b/third_party/mbedtls/library/md.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file md.c
 *
@ -21,35 +23,32 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_MD_C)

-#include "mbedtls/md.h"
-#include "mbedtls/md_internal.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md_internal.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include "mbedtls/md2.h"
-#include "mbedtls/md4.h"
-#include "mbedtls/md5.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
+#include "third_party/mbedtls/include/mbedtls/md2.h"
+#include "third_party/mbedtls/include/mbedtls/md4.h"
+#include "third_party/mbedtls/include/mbedtls/md5.h"
+#include "third_party/mbedtls/include/mbedtls/ripemd160.h"
+#include "third_party/mbedtls/include/mbedtls/sha1.h"
+#include "third_party/mbedtls/include/mbedtls/sha256.h"
+#include "third_party/mbedtls/include/mbedtls/sha512.h"

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif

-#include <string.h>

 #if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
 #endif

 #if defined(MBEDTLS_MD2_C)
--- a/third_party/mbedtls/library/md2.c
+++ b/third_party/mbedtls/library/md2.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  RFC 1115/1319 compliant MD2 implementation
 *
@ -23,21 +25,19 @@
 *  http://www.ietf.org/rfc/rfc1319.txt
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_MD2_C)

-#include "mbedtls/md2.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/md2.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/md4.c
+++ b/third_party/mbedtls/library/md4.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  RFC 1186/1320 compliant MD4 implementation
 *
@ -23,21 +25,19 @@
 *  http://www.ietf.org/rfc/rfc1320.txt
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_MD4_C)

-#include "mbedtls/md4.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/md4.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/md5.c
+++ b/third_party/mbedtls/library/md5.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  RFC 1321 compliant MD5 implementation
 *
@ -22,21 +24,19 @@
 *  http://www.ietf.org/rfc/rfc1321.txt
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_MD5_C)

-#include "mbedtls/md5.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/md5.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/memory_buffer_alloc.c
+++ b/third_party/mbedtls/library/memory_buffer_alloc.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Buffer-based memory allocator
 *
@ -17,24 +19,18 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-#include "mbedtls/memory_buffer_alloc.h"
+#include "third_party/mbedtls/include/mbedtls/memory_buffer_alloc.h"

 /* No need for the header guard as MBEDTLS_MEMORY_BUFFER_ALLOC_C
   is dependent upon MBEDTLS_PLATFORM_C */
-#include "mbedtls/platform.h"
-#include "mbedtls/platform_util.h"
-
-#include <string.h>
-
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
-#include <execinfo.h>
-#endif
+#include "third_party/mbedtls/include/mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

 #if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
 #endif

 #define MAGIC1       0xFF00AA55
--- a/third_party/mbedtls/library/net_sockets.c
+++ b/third_party/mbedtls/library/net_sockets.c
@ -16,14 +16,26 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
-
 /* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
 * be set before config.h, which pulls in glibc's features.h indirectly.
 * Harmless on other platforms. */
 #define _POSIX_C_SOURCE 200112L
-#define _XOPEN_SOURCE 600 /* sockaddr_storage */
-
-#include "common.h"
+#define _XOPEN_SOURCE   600 /* sockaddr_storage */
+#include "libc/calls/calls.h"
+#include "libc/dns/dns.h"
+#include "libc/errno.h"
+#include "libc/sock/select.h"
+#include "libc/sock/sock.h"
+#include "libc/sysv/consts/af.h"
+#include "libc/sysv/consts/f.h"
+#include "libc/sysv/consts/ipproto.h"
+#include "libc/sysv/consts/msg.h"
+#include "libc/sysv/consts/o.h"
+#include "libc/sysv/consts/so.h"
+#include "libc/sysv/consts/sock.h"
+#include "libc/sysv/consts/sol.h"
+#include "third_party/mbedtls/library/common.h"
+/* clang-format off */

 #if defined(MBEDTLS_NET_C)

@ -34,42 +46,19 @@
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #endif

-#include "mbedtls/net_sockets.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/net_sockets.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
    !defined(EFI32)

 #define IS_EINTR( ret ) ( ( ret ) == WSAEINTR )

-#if !defined(_WIN32_WINNT)
-/* Enables getaddrinfo() & Co */
-#define _WIN32_WINNT 0x0501
-#endif
-
-#include <ws2tcpip.h>
-
-#include <winsock2.h>
-#include <windows.h>
-#if (_WIN32_WINNT < 0x0501)
-#include <wspiapi.h>
-#endif
-
-#if defined(_MSC_VER)
-#if defined(_WIN32_WCE)
-#pragma comment( lib, "ws2.lib" )
-#else
-#pragma comment( lib, "ws2_32.lib" )
-#endif
-#endif /* _MSC_VER */
-
 #define read(fd,buf,len)        recv( fd, (char*)( buf ), (int)( len ), 0 )
 #define write(fd,buf,len)       send( fd, (char*)( buf ), (int)( len ), 0 )
 #define close(fd)               closesocket(fd)
@ -78,17 +67,6 @@ static int wsa_init_done = 0;

 #else /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */

-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/time.h>
-#include <unistd.h>
-#include <signal.h>
-#include <fcntl.h>
-#include <netdb.h>
-#include <errno.h>
-
 #define IS_EINTR( ret ) ( ( ret ) == EINTR )

 #endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
@ -101,11 +79,8 @@ static int wsa_init_done = 0;
 #define MSVC_INT_CAST
 #endif

-#include <stdio.h>

-#include <time.h>

-#include <stdint.h>

 /*
 * Prepare for using the sockets interface
@ -290,14 +265,8 @@ static int net_would_block( const mbedtls_net_context *ctx )
        return( 0 );
    }

-    switch( errno = err )
-    {
-#if defined EAGAIN
-        case EAGAIN:
-#endif
-#if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
-        case EWOULDBLOCK:
-#endif
+    errno = err;
+    if (err == EAGAIN) {
            return( 1 );
    }
    return( 0 );
@ -410,13 +379,7 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
        }
        else
        {
-            struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &client_addr;
-            *ip_len = sizeof( addr6->sin6_addr.s6_addr );
-
-            if( buf_size < *ip_len )
-                return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
-
-            memcpy( client_ip, &addr6->sin6_addr.s6_addr, *ip_len);
+            abort();
        }
    }

--- a/third_party/mbedtls/library/nist_kw.c
+++ b/third_party/mbedtls/library/nist_kw.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
 *  only
@ -27,22 +29,19 @@
 * the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_NIST_KW_C)

-#include "mbedtls/nist_kw.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/nist_kw.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <stdint.h>
-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
--- a/third_party/mbedtls/library/oid.c
+++ b/third_party/mbedtls/library/oid.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file oid.c
 *
@ -19,19 +21,17 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_OID_C)

-#include "mbedtls/oid.h"
-#include "mbedtls/rsa.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <stdio.h>
-#include <string.h>

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
 #define mbedtls_snprintf snprintf
 #endif
--- a/third_party/mbedtls/library/padlock.c
+++ b/third_party/mbedtls/library/padlock.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  VIA PadLock support functions
 *
@ -23,13 +25,12 @@
 *  programming_guide.pdf
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PADLOCK_C)

-#include "mbedtls/padlock.h"
+#include "third_party/mbedtls/include/mbedtls/padlock.h"

-#include <string.h>

 #ifndef asm
 #define asm __asm
--- a/third_party/mbedtls/library/pem.c
+++ b/third_party/mbedtls/library/pem.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Privacy Enhanced Mail (PEM) decoding
 *
@ -17,25 +19,23 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)

-#include "mbedtls/pem.h"
-#include "mbedtls/base64.h"
-#include "mbedtls/des.h"
-#include "mbedtls/aes.h"
-#include "mbedtls/md5.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/pem.h"
+#include "third_party/mbedtls/include/mbedtls/base64.h"
+#include "third_party/mbedtls/include/mbedtls/des.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/md5.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif
--- a/third_party/mbedtls/library/pk.c
+++ b/third_party/mbedtls/library/pk.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Public Key abstraction layer
 *
@ -17,32 +19,30 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PK_C)
-#include "mbedtls/pk.h"
-#include "mbedtls/pk_internal.h"
+#include "third_party/mbedtls/include/psa/sheesh.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/pk_internal.h"

-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
 #endif
 #if defined(MBEDTLS_ECP_C)
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
 #endif
 #if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
+#include "third_party/mbedtls/include/mbedtls/ecdsa.h"
 #endif

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "mbedtls/psa_util.h"
+#include "third_party/mbedtls/include/mbedtls/psa_util.h"
 #endif

-#include <limits.h>
-#include <stdint.h>
-
 /* Parameter validation macros based on platform_util.h */
 #define PK_VALIDATE_RET( cond )    \
    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
--- a/third_party/mbedtls/library/pk_wrap.c
+++ b/third_party/mbedtls/library/pk_wrap.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Public Key abstraction layer: wrapper functions
 *
@ -17,49 +19,46 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"
+#include "third_party/mbedtls/include/psa/sheesh.h"

 #if defined(MBEDTLS_PK_C)
-#include "mbedtls/pk_internal.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/pk_internal.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 /* Even if RSA not activated, for the sake of RSA-alt */
-#include "mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"

-#include <string.h>

 #if defined(MBEDTLS_ECP_C)
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
 #endif

 #if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
+#include "third_party/mbedtls/include/mbedtls/ecdsa.h"
 #endif

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "mbedtls/asn1write.h"
+#include "third_party/mbedtls/include/mbedtls/asn1write.h"
 #endif

 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #endif

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#include "mbedtls/psa_util.h"
-#include "mbedtls/asn1.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/include/mbedtls/psa_util.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif

-#include <limits.h>
-#include <stdint.h>

 #if defined(MBEDTLS_RSA_C)
 static int rsa_can_do( mbedtls_pk_type_t type )
--- a/third_party/mbedtls/library/pkcs11.c
+++ b/third_party/mbedtls/library/pkcs11.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file pkcs11.c
 *
@ -21,23 +23,21 @@
 *  limitations under the License.
 */

-#include "mbedtls/pkcs11.h"
+#include "third_party/mbedtls/include/mbedtls/pkcs11.h"

 #if defined(MBEDTLS_PKCS11_C)

-#include "mbedtls/md.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/x509_crt.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/x509_crt.h"

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif

-#include <string.h>

 void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx )
 {
--- a/third_party/mbedtls/library/pkcs12.c
+++ b/third_party/mbedtls/library/pkcs12.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PKCS#12 Personal Information Exchange Syntax
 *
@ -23,24 +25,23 @@
 *  ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PKCS12_C)

-#include "mbedtls/pkcs12.h"
-#include "mbedtls/asn1.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/pkcs12.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_ARC4_C)
-#include "mbedtls/arc4.h"
+#include "third_party/mbedtls/include/mbedtls/arc4.h"
 #endif

 #if defined(MBEDTLS_DES_C)
-#include "mbedtls/des.h"
+#include "third_party/mbedtls/include/mbedtls/des.h"
 #endif

 #if defined(MBEDTLS_ASN1_PARSE_C)
--- a/third_party/mbedtls/library/pkcs5.c
+++ b/third_party/mbedtls/library/pkcs5.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file pkcs5.c
 *
@ -27,25 +29,23 @@
 * http://tools.ietf.org/html/rfc6070 (Test vectors)
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PKCS5_C)

-#include "mbedtls/pkcs5.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/pkcs5.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(MBEDTLS_ASN1_PARSE_C)
-#include "mbedtls/asn1.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
 #endif /* MBEDTLS_ASN1_PARSE_C */

-#include <string.h>

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif

--- a/third_party/mbedtls/library/pkparse.c
+++ b/third_party/mbedtls/library/pkparse.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Public Key layer for parsing key files and structures
 *
@ -17,41 +19,40 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "libc/calls/calls.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PK_PARSE_C)

-#include "mbedtls/pk.h"
-#include "mbedtls/asn1.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
 #endif
 #if defined(MBEDTLS_ECP_C)
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
 #endif
 #if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
+#include "third_party/mbedtls/include/mbedtls/ecdsa.h"
 #endif
 #if defined(MBEDTLS_PEM_PARSE_C)
-#include "mbedtls/pem.h"
+#include "third_party/mbedtls/include/mbedtls/pem.h"
 #endif
 #if defined(MBEDTLS_PKCS5_C)
-#include "mbedtls/pkcs5.h"
+#include "third_party/mbedtls/include/mbedtls/pkcs5.h"
 #endif
 #if defined(MBEDTLS_PKCS12_C)
-#include "mbedtls/pkcs12.h"
+#include "third_party/mbedtls/include/mbedtls/pkcs12.h"
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif
--- a/third_party/mbedtls/library/pkwrite.c
+++ b/third_party/mbedtls/library/pkwrite.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Public Key layer for writing key files and structures
 *
@ -17,41 +19,39 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PK_WRITE_C)

-#include "mbedtls/pk.h"
-#include "mbedtls/asn1write.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/asn1write.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
 #endif
 #if defined(MBEDTLS_ECP_C)
-#include "mbedtls/bignum.h"
-#include "mbedtls/ecp.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #endif
 #if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
+#include "third_party/mbedtls/include/mbedtls/ecdsa.h"
 #endif
 #if defined(MBEDTLS_PEM_WRITE_C)
-#include "mbedtls/pem.h"
+#include "third_party/mbedtls/include/mbedtls/pem.h"
 #endif

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#include "mbedtls/psa_util.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/include/mbedtls/psa_util.h"
 #endif
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
 #endif
@ -581,15 +581,19 @@ int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *key, unsigned char *buf, si
 int mbedtls_pk_write_key_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    unsigned char output_buf[PRV_DER_MAX_BYTES];
+    unsigned char *output_buf;
    const char *begin, *end;
    size_t olen = 0;

    PK_VALIDATE_RET( key != NULL );
    PK_VALIDATE_RET( buf != NULL || size == 0 );

-    if( ( ret = mbedtls_pk_write_key_der( key, output_buf, sizeof(output_buf) ) ) < 0 )
+    output_buf = malloc(PRV_DER_MAX_BYTES);
+
+    if( ( ret = mbedtls_pk_write_key_der( key, output_buf, PRV_DER_MAX_BYTES ) ) < 0 ) {
+        free(output_buf);
        return( ret );
+    }

 #if defined(MBEDTLS_RSA_C)
    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
@ -610,12 +614,14 @@ int mbedtls_pk_write_key_pem( mbedtls_pk_context *key, unsigned char *buf, size_
        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );

    if( ( ret = mbedtls_pem_write_buffer( begin, end,
-                                  output_buf + sizeof(output_buf) - ret,
+                                  output_buf + PRV_DER_MAX_BYTES - ret,
                                  ret, buf, size, &olen ) ) != 0 )
    {
+        free(output_buf);
        return( ret );
    }

+    free(output_buf);
    return( 0 );
 }
 #endif /* MBEDTLS_PEM_WRITE_C */
--- a/third_party/mbedtls/library/platform.c
+++ b/third_party/mbedtls/library/platform.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Platform abstraction layer
 *
@ -17,13 +19,13 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PLATFORM_C)

-#include "mbedtls/platform.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 /* The compile time configuration of memory allocation via the macros
 * MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
@ -78,7 +80,6 @@ int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
             defined(MBEDTLS_PLATFORM_FREE_MACRO) ) */

 #if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
-#include <stdarg.h>
 int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -123,7 +124,6 @@ int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
 #endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */

 #if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
-#include <stdarg.h>
 int mbedtls_platform_win32_vsnprintf( char *s, size_t n, const char *fmt, va_list arg )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
--- a/third_party/mbedtls/library/platform_util.c
+++ b/third_party/mbedtls/library/platform_util.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 * Common and shared functions used by multiple modules in the Mbed TLS
 * library.
@ -26,14 +28,15 @@
 #define _POSIX_C_SOURCE 200112L
 #endif

-#include "common.h"
+#include "libc/time/time.h"
+#include "libc/time/struct/tm.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

-#include "mbedtls/platform_util.h"
-#include "mbedtls/platform.h"
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"

-#include <stddef.h>
-#include <string.h>

 #if !defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
 /*
@ -74,11 +77,9 @@ void mbedtls_platform_zeroize( void *buf, size_t len )
 #endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */

 #if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
-#include <time.h>
 #if !defined(_WIN32) && (defined(unix) || \
    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
    defined(__MACH__)))
-#include <unistd.h>
 #endif /* !_WIN32 && (unix || __unix || __unix__ ||
        * (__APPLE__ && __MACH__)) */

--- a/third_party/mbedtls/library/poly1305.c
+++ b/third_party/mbedtls/library/poly1305.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file poly1305.c
 *
@ -18,21 +20,20 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
-#include "common.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_POLY1305_C)

-#include "mbedtls/poly1305.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/poly1305.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/psa_crypto.c
+++ b/third_party/mbedtls/library/psa_crypto.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA crypto layer on top of Mbed TLS crypto
 */
@ -18,75 +20,72 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PSA_CRYPTO_C)

 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
-#include "check_crypto_config.h"
+#include "third_party/mbedtls/library/check_crypto_config.h"
 #endif

-#include "psa_crypto_service_integration.h"
-#include "psa/crypto.h"
+#include "third_party/mbedtls/library/psa_crypto_service_integration.h"
+#include "third_party/mbedtls/include/psa/crypto.h"

-#include "psa_crypto_core.h"
-#include "psa_crypto_invasive.h"
-#include "psa_crypto_driver_wrappers.h"
-#include "psa_crypto_ecp.h"
-#include "psa_crypto_rsa.h"
-#include "psa_crypto_ecp.h"
+#include "third_party/mbedtls/library/psa_crypto_core.h"
+#include "third_party/mbedtls/library/psa_crypto_invasive.h"
+#include "third_party/mbedtls/library/psa_crypto_driver_wrappers.h"
+#include "third_party/mbedtls/library/psa_crypto_ecp.h"
+#include "third_party/mbedtls/library/psa_crypto_rsa.h"
+#include "third_party/mbedtls/library/psa_crypto_ecp.h"
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-#include "psa_crypto_se.h"
+#include "third_party/mbedtls/library/psa_crypto_se.h"
 #endif
-#include "psa_crypto_slot_management.h"
+#include "third_party/mbedtls/library/psa_crypto_slot_management.h"
 /* Include internal declarations that are useful for implementing persistently
 * stored keys. */
-#include "psa_crypto_storage.h"
+#include "third_party/mbedtls/library/psa_crypto_storage.h"

-#include "psa_crypto_random_impl.h"
+#include "third_party/mbedtls/library/psa_crypto_random_impl.h"

-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #if !defined(MBEDTLS_PLATFORM_C)
 #define mbedtls_calloc calloc
 #define mbedtls_free   free
 #endif

-#include "mbedtls/aes.h"
-#include "mbedtls/arc4.h"
-#include "mbedtls/asn1.h"
-#include "mbedtls/asn1write.h"
-#include "mbedtls/bignum.h"
-#include "mbedtls/blowfish.h"
-#include "mbedtls/camellia.h"
-#include "mbedtls/chacha20.h"
-#include "mbedtls/chachapoly.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/ccm.h"
-#include "mbedtls/cmac.h"
-#include "mbedtls/des.h"
-#include "mbedtls/ecdh.h"
-#include "mbedtls/ecp.h"
-#include "mbedtls/entropy.h"
-#include "mbedtls/error.h"
-#include "mbedtls/gcm.h"
-#include "mbedtls/md2.h"
-#include "mbedtls/md4.h"
-#include "mbedtls/md5.h"
-#include "mbedtls/md.h"
-#include "mbedtls/md_internal.h"
-#include "mbedtls/pk.h"
-#include "mbedtls/pk_internal.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/rsa.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
-#include "mbedtls/xtea.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/arc4.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/asn1write.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/blowfish.h"
+#include "third_party/mbedtls/include/mbedtls/camellia.h"
+#include "third_party/mbedtls/include/mbedtls/chacha20.h"
+#include "third_party/mbedtls/include/mbedtls/chachapoly.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/ccm.h"
+#include "third_party/mbedtls/include/mbedtls/cmac.h"
+#include "third_party/mbedtls/include/mbedtls/des.h"
+#include "third_party/mbedtls/include/mbedtls/ecdh.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/entropy.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/gcm.h"
+#include "third_party/mbedtls/include/mbedtls/md2.h"
+#include "third_party/mbedtls/include/mbedtls/md4.h"
+#include "third_party/mbedtls/include/mbedtls/md5.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md_internal.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/pk_internal.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/ripemd160.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/sha1.h"
+#include "third_party/mbedtls/include/mbedtls/sha256.h"
+#include "third_party/mbedtls/include/mbedtls/sha512.h"
+#include "third_party/mbedtls/include/mbedtls/xtea.h"

 #define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )

@ -5862,7 +5861,7 @@ int mbedtls_psa_get_random( void *p_rng,
 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */

 #if defined(MBEDTLS_PSA_INJECT_ENTROPY)
-#include "mbedtls/entropy_poll.h"
+#include "third_party/mbedtls/include/mbedtls/entropy_poll.h"

 psa_status_t mbedtls_psa_inject_entropy( const uint8_t *seed,
                                         size_t seed_size )
--- a/third_party/mbedtls/library/psa_crypto_client.c
+++ b/third_party/mbedtls/library/psa_crypto_client.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA crypto client code
 */
@ -18,14 +20,13 @@
 *  limitations under the License.
 */

-#include "common.h"
-#include "psa_crypto_service_integration.h"
-#include "psa/crypto.h"
+#include "third_party/mbedtls/library/common.h"
+#include "third_party/mbedtls/library/psa_crypto_service_integration.h"
+#include "third_party/mbedtls/include/psa/crypto.h"

 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT)

-#include <string.h>
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #if !defined(MBEDTLS_PLATFORM_C)
 #define mbedtls_calloc calloc
 #define mbedtls_free   free
--- a/third_party/mbedtls/library/psa_crypto_core.h
+++ b/third_party/mbedtls/library/psa_crypto_core.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA crypto core internal interfaces
 */
@ -22,15 +24,15 @@
 #define PSA_CRYPTO_CORE_H

 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif

-#include "psa/crypto.h"
-#include "psa/crypto_se_driver.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/include/psa/crypto_se_driver.h"

-#include <mbedtls/md_internal.h>
+#include "third_party/mbedtls/include/mbedtls/md_internal.h"

 /** The data structure representing a key slot, containing key material
 * and metadata for one key.
--- a/third_party/mbedtls/library/psa_crypto_driver_wrappers.c
+++ b/third_party/mbedtls/library/psa_crypto_driver_wrappers.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Functions to delegate cryptographic operations to an available
 *  and appropriate accelerator.
@ -19,9 +21,9 @@
 *  limitations under the License.
 */

-#include "psa_crypto_core.h"
-#include "psa_crypto_driver_wrappers.h"
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/library/psa_crypto_core.h"
+#include "third_party/mbedtls/library/psa_crypto_driver_wrappers.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"

 #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)

@ -33,7 +35,7 @@
 #ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
 #define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
 #endif
-#include "test/drivers/test_driver.h"
+/* #include "test/drivers/test_driver.h" */
 #endif /* PSA_CRYPTO_DRIVER_TEST */

 /* Repeat above block for each JSON-declared driver during autogeneration */
@ -53,7 +55,7 @@
 #ifndef PSA_CRYPTO_DRIVER_PRESENT
 #define PSA_CRYPTO_DRIVER_PRESENT
 #endif
-#include "psa_crypto_se.h"
+#include "third_party/mbedtls/library/psa_crypto_se.h"
 #endif

 /* Start delegation functions */
--- a/third_party/mbedtls/library/psa_crypto_driver_wrappers.h
+++ b/third_party/mbedtls/library/psa_crypto_driver_wrappers.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Function signatures for functionality that can be provided by
 *  cryptographic accelerators.
@ -22,8 +24,9 @@
 #ifndef PSA_CRYPTO_DRIVER_WRAPPERS_H
 #define PSA_CRYPTO_DRIVER_WRAPPERS_H

-#include "psa/crypto.h"
-#include "psa/crypto_driver_common.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/library/psa_crypto_core.h"
+#include "third_party/mbedtls/include/psa/crypto_driver_common.h"

 /*
 * Signature functions
--- a/third_party/mbedtls/library/psa_crypto_ecp.c
+++ b/third_party/mbedtls/library/psa_crypto_ecp.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA ECP layer on top of Mbed TLS crypto
 */
@ -18,26 +20,24 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PSA_CRYPTO_C)

-#include <psa/crypto.h>
-#include "psa_crypto_core.h"
-#include "psa_crypto_ecp.h"
-#include "psa_crypto_random_impl.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/library/psa_crypto_core.h"
+#include "third_party/mbedtls/library/psa_crypto_ecp.h"
+#include "third_party/mbedtls/library/psa_crypto_random_impl.h"

-#include <stdlib.h>
-#include <string.h>
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #if !defined(MBEDTLS_PLATFORM_C)
 #define mbedtls_calloc calloc
 #define mbedtls_free   free
 #endif

-#include <mbedtls/ecdsa.h>
-#include <mbedtls/ecp.h>
-#include <mbedtls/error.h>
+#include "third_party/mbedtls/include/mbedtls/ecdsa.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||  \
      ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
--- a/third_party/mbedtls/library/psa_crypto_ecp.h
+++ b/third_party/mbedtls/library/psa_crypto_ecp.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA ECP layer on top of Mbed TLS crypto
 */
@ -21,8 +23,8 @@
 #ifndef PSA_CRYPTO_ECP_H
 #define PSA_CRYPTO_ECP_H

-#include <psa/crypto.h>
-#include <mbedtls/ecp.h>
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"

 /** Load the contents of a key buffer into an internal ECP representation
 *
--- a/third_party/mbedtls/library/psa_crypto_invasive.h
+++ b/third_party/mbedtls/library/psa_crypto_invasive.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file psa_crypto_invasive.h
 *
@ -31,13 +33,13 @@
 #if defined(MBEDTLS_CONFIG_FILE)
 #include MBEDTLS_CONFIG_FILE
 #else
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #endif

-#include "psa/crypto.h"
-#include "common.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/library/common.h"

-#include "mbedtls/entropy.h"
+#include "third_party/mbedtls/include/mbedtls/entropy.h"

 #if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
 /** \brief Configure entropy sources.
--- a/third_party/mbedtls/library/psa_crypto_its.h
+++ b/third_party/mbedtls/library/psa_crypto_its.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /** \file psa_crypto_its.h
 * \brief Interface of trusted storage that crypto is built on.
 */
@ -21,11 +23,9 @@
 #ifndef PSA_CRYPTO_ITS_H
 #define PSA_CRYPTO_ITS_H

-#include <stddef.h>
-#include <stdint.h>

-#include <psa/crypto_types.h>
-#include <psa/crypto_values.h>
+#include "third_party/mbedtls/include/psa/crypto_types.h"
+#include "third_party/mbedtls/include/psa/crypto_values.h"

 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/library/psa_crypto_random_impl.h
+++ b/third_party/mbedtls/library/psa_crypto_random_impl.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /** \file psa_crypto_random_impl.h
 *
 * \brief PSA crypto random generator implementation abstraction.
@ -30,13 +32,12 @@
 #ifndef PSA_CRYPTO_RANDOM_IMPL_H
 #define PSA_CRYPTO_RANDOM_IMPL_H

-#include <mbedtls/psa_util.h>
+#include "third_party/mbedtls/include/mbedtls/psa_util.h"

 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)

-#include <string.h>
-#include <mbedtls/entropy.h> // only for error codes
-#include <psa/crypto.h>
+#include "third_party/mbedtls/include/mbedtls/entropy.h" // only for error code
+#include "third_party/mbedtls/include/psa/crypto.h"

 typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;

@ -53,17 +54,16 @@ int mbedtls_psa_get_random( void *p_rng,
 /* Choose a DRBG based on configuration and availability */
 #if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)

-#include "mbedtls/hmac_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/hmac_drbg.h"

 #elif defined(MBEDTLS_CTR_DRBG_C)

-#include "mbedtls/ctr_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/ctr_drbg.h"

 #elif defined(MBEDTLS_HMAC_DRBG_C)

-#include "mbedtls/hmac_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/hmac_drbg.h"
 #if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_SHA256_C)
-#include <limits.h>
 #if SIZE_MAX > 0xffffffff
 /* Looks like a 64-bit system, so prefer SHA-512. */
 #define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA512
@ -83,7 +83,7 @@ int mbedtls_psa_get_random( void *p_rng,
 #error "No DRBG module available for the psa_crypto module."
 #endif

-#include "mbedtls/entropy.h"
+#include "third_party/mbedtls/include/mbedtls/entropy.h"

 /** Initialize the PSA DRBG.
 *
@ -124,20 +124,6 @@ typedef struct
    mbedtls_psa_drbg_context_t drbg;
 } mbedtls_psa_random_context_t;

-/* Defined in include/mbedtls/psa_util.h so that it's visible to
- * application code. The declaration here is redundant, but included
- * as a safety net to make it more likely that a future change that
- * accidentally causes the implementation to diverge from the interface
- * will be noticed. */
-/* Do not include the declaration under MSVC because it doesn't accept it
- * ("error C2370: 'mbedtls_psa_get_random' : redefinition; different storage class").
- * Observed with Visual Studio 2013. A known bug apparently:
- * https://stackoverflow.com/questions/8146541/duplicate-external-static-declarations-not-allowed-in-visual-studio
- */
-#if !defined(_MSC_VER)
-static mbedtls_f_rng_t *const mbedtls_psa_get_random;
-#endif
-
 /** The maximum number of bytes that mbedtls_psa_get_random() is expected to
 * return.
 */
@ -147,18 +133,6 @@ static mbedtls_f_rng_t *const mbedtls_psa_get_random;
 #define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
 #endif

-/** A pointer to the PSA DRBG state.
- *
- * This variable is only intended to be used through the macro
- * #MBEDTLS_PSA_RANDOM_STATE.
- */
-/* psa_crypto.c sets this variable to a pointer to the DRBG state in the
- * global PSA crypto state. */
-/* The type `mbedtls_psa_drbg_context_t` is defined in
- * include/mbedtls/psa_util.h so that `mbedtls_psa_random_state` can be
- * declared there and be visible to application code. */
-extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
-
 /** A pointer to the PSA DRBG state.
 *
 * This macro expands to an expression that is suitable as the \c p_rng
--- a/third_party/mbedtls/library/psa_crypto_rsa.c
+++ b/third_party/mbedtls/library/psa_crypto_rsa.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA RSA layer on top of Mbed TLS crypto
 */
@ -18,27 +20,26 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "libc/limits.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PSA_CRYPTO_C)

-#include <psa/crypto.h>
-#include "psa_crypto_core.h"
-#include "psa_crypto_random_impl.h"
-#include "psa_crypto_rsa.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/library/psa_crypto_core.h"
+#include "third_party/mbedtls/library/psa_crypto_random_impl.h"
+#include "third_party/mbedtls/library/psa_crypto_rsa.h"

-#include <stdlib.h>
-#include <string.h>
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #if !defined(MBEDTLS_PLATFORM_C)
 #define mbedtls_calloc calloc
 #define mbedtls_free   free
 #endif

-#include <mbedtls/rsa.h>
-#include <mbedtls/error.h>
-#include <mbedtls/pk.h>
-#include <mbedtls/pk_internal.h>
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/pk_internal.h"

 #if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||  \
      ( defined(PSA_CRYPTO_DRIVER_TEST) &&                   \
--- a/third_party/mbedtls/library/psa_crypto_rsa.h
+++ b/third_party/mbedtls/library/psa_crypto_rsa.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA RSA layer on top of Mbed TLS crypto
 */
@ -21,8 +23,8 @@
 #ifndef PSA_CRYPTO_RSA_H
 #define PSA_CRYPTO_RSA_H

-#include <psa/crypto.h>
-#include <mbedtls/rsa.h>
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"

 /** Load the contents of a key buffer into an internal RSA representation
 *
--- a/third_party/mbedtls/library/psa_crypto_se.c
+++ b/third_party/mbedtls/library/psa_crypto_se.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA crypto support for secure element drivers
 */
@ -18,26 +20,23 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)

-#include <assert.h>
-#include <stdint.h>
-#include <string.h>

-#include "psa/crypto_se_driver.h"
+#include "third_party/mbedtls/include/psa/crypto_se_driver.h"

-#include "psa_crypto_se.h"
+#include "third_party/mbedtls/library/psa_crypto_se.h"

 #if defined(MBEDTLS_PSA_ITS_FILE_C)
-#include "psa_crypto_its.h"
+#include "third_party/mbedtls/library/psa_crypto_its.h"
 #else /* Native ITS implementation */
-#include "psa/error.h"
-#include "psa/internal_trusted_storage.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+/* #include "third_party/mbedtls/include/psa/internal_trusted_storage.h" */
 #endif

-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #if !defined(MBEDTLS_PLATFORM_C)
 #define mbedtls_calloc calloc
 #define mbedtls_free   free
--- a/third_party/mbedtls/library/psa_crypto_se.h
+++ b/third_party/mbedtls/library/psa_crypto_se.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA crypto support for secure element drivers
 */
@ -22,13 +24,13 @@
 #define PSA_CRYPTO_SE_H

 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif

-#include "psa/crypto.h"
-#include "psa/crypto_se_driver.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/include/psa/crypto_se_driver.h"

 /** The maximum location value that this implementation supports
 * for a secure element.
--- a/third_party/mbedtls/library/psa_crypto_service_integration.h
+++ b/third_party/mbedtls/library/psa_crypto_service_integration.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0
@ -33,7 +35,7 @@
 * flag.
 */
 #define PSA_CRYPTO_SECURE 1
-#include "crypto_spe.h"
+/* #include "third_party/mbedtls/include/mbedtls/crypto_spe.h" */
 #endif // MBEDTLS_PSA_CRYPTO_SPM

 #endif // PSA_CRYPTO_SERVICE_INTEGRATION_H
--- a/third_party/mbedtls/library/psa_crypto_slot_management.c
+++ b/third_party/mbedtls/library/psa_crypto_slot_management.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA crypto layer on top of Mbed TLS crypto
 */
@ -18,24 +20,22 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_PSA_CRYPTO_C)

-#include "psa_crypto_service_integration.h"
-#include "psa/crypto.h"
+#include "third_party/mbedtls/library/psa_crypto_service_integration.h"
+#include "third_party/mbedtls/include/psa/crypto.h"

-#include "psa_crypto_core.h"
-#include "psa_crypto_slot_management.h"
-#include "psa_crypto_storage.h"
+#include "third_party/mbedtls/library/psa_crypto_core.h"
+#include "third_party/mbedtls/library/psa_crypto_slot_management.h"
+#include "third_party/mbedtls/library/psa_crypto_storage.h"
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-#include "psa_crypto_se.h"
+#include "third_party/mbedtls/library/psa_crypto_se.h"
 #endif

-#include <stdlib.h>
-#include <string.h>
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
 #define mbedtls_calloc calloc
 #define mbedtls_free   free
--- a/third_party/mbedtls/library/psa_crypto_slot_management.h
+++ b/third_party/mbedtls/library/psa_crypto_slot_management.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA crypto layer on top of Mbed TLS crypto
 */
@ -21,9 +23,10 @@
 #ifndef PSA_CRYPTO_SLOT_MANAGEMENT_H
 #define PSA_CRYPTO_SLOT_MANAGEMENT_H

-#include "psa/crypto.h"
-#include "psa_crypto_core.h"
-#include "psa_crypto_se.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/library/psa_crypto_core.h"
+#include "libc/limits.h"
+#include "third_party/mbedtls/library/psa_crypto_se.h"

 /** Range of volatile key identifiers.
 *
--- a/third_party/mbedtls/library/psa_crypto_storage.c
+++ b/third_party/mbedtls/library/psa_crypto_storage.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA persistent key storage
 */
@ -21,30 +23,27 @@
 #if defined(MBEDTLS_CONFIG_FILE)
 #include MBEDTLS_CONFIG_FILE
 #else
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #endif

 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)

-#include <stdlib.h>
-#include <string.h>

-#include "psa_crypto_service_integration.h"
-#include "psa/crypto.h"
-#include "psa_crypto_storage.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/library/psa_crypto_service_integration.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/library/psa_crypto_storage.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

 #if defined(MBEDTLS_PSA_ITS_FILE_C)
-#include "psa_crypto_its.h"
+#include "third_party/mbedtls/library/psa_crypto_its.h"
 #else /* Native ITS implementation */
-#include "psa/error.h"
-#include "psa/internal_trusted_storage.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+/* #include "third_party/mbedtls/include/psa/internal_trusted_storage.h" */
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc   calloc
 #define mbedtls_free     free
 #endif
--- a/third_party/mbedtls/library/psa_crypto_storage.h
+++ b/third_party/mbedtls/library/psa_crypto_storage.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file psa_crypto_storage.h
 *
@ -27,11 +29,9 @@
 extern "C" {
 #endif

-#include "psa/crypto.h"
-#include "psa/crypto_se_driver.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
+#include "third_party/mbedtls/include/psa/crypto_se_driver.h"

-#include <stdint.h>
-#include <string.h>

 /* Limit the maximum key size in storage. This should have no effect
 * since the key size is limited in memory. */
--- a/third_party/mbedtls/library/psa_its_file.c
+++ b/third_party/mbedtls/library/psa_its_file.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  PSA ITS simulator over stdio files.
 */
@ -21,27 +23,24 @@
 #if defined(MBEDTLS_CONFIG_FILE)
 #include MBEDTLS_CONFIG_FILE
 #else
-#include "mbedtls/config.h"
+#include "libc/limits.h"
+#include "libc/calls/calls.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #endif

 #if defined(MBEDTLS_PSA_ITS_FILE_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
 #define mbedtls_snprintf   snprintf
 #endif

 #if defined(_WIN32)
-#include <windows.h>
 #endif

-#include "psa_crypto_its.h"
+#include "third_party/mbedtls/library/psa_crypto_its.h"

-#include <limits.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <string.h>

 #if !defined(PSA_ITS_STORAGE_PREFIX)
 #define PSA_ITS_STORAGE_PREFIX ""
--- a/third_party/mbedtls/library/rando.c
+++ b/third_party/mbedtls/library/rando.c
@ -0,0 +1,35 @@
+/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
+│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8                                :vi│
+╞══════════════════════════════════════════════════════════════════════════════╡
+│ Copyright 2021 Justine Alexandra Roberts Tunney                              │
+│                                                                              │
+│ Permission to use, copy, modify, and/or distribute this software for         │
+│ any purpose with or without fee is hereby granted, provided that the         │
+│ above copyright notice and this permission notice appear in all copies.      │
+│                                                                              │
+│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
+│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
+│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
+│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
+│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
+│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
+│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
+│ PERFORMANCE OF THIS SOFTWARE.                                                │
+╚─────────────────────────────────────────────────────────────────────────────*/
+#include "libc/rand/rand.h"
+#include "third_party/mbedtls/include/mbedtls/entropy_poll.h"
+
+int mbedtls_hardware_poll(void *wut, unsigned char *p, size_t n, size_t *olen) {
+  uint64_t x;
+  size_t i, j;
+  i = 0;
+  while (i < n) {
+    x = rand64();
+    for (j = 0; i < n && j < 8; ++i, ++j) {
+      p[i] = x;
+      x >>= 8;
+    }
+  }
+  *olen = i;
+  return 0;
+}
--- a/third_party/mbedtls/library/ripemd160.c
+++ b/third_party/mbedtls/library/ripemd160.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  RIPE MD-160 implementation
 *
@ -23,21 +25,19 @@
 *  http://ehash.iaik.tugraz.at/wiki/RIPEMD-160
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_RIPEMD160_C)

-#include "mbedtls/ripemd160.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/ripemd160.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/rsa.c
+++ b/third_party/mbedtls/library/rsa.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  The RSA public-key cryptosystem
 *
@ -35,30 +37,28 @@
 *
 */

-#include "common.h"
+#include "libc/rand/rand.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_RSA_C)

-#include "mbedtls/rsa.h"
-#include "mbedtls/rsa_internal.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/rsa_internal.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_PKCS1_V21)
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #endif

 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
-#include <stdlib.h>
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #define mbedtls_calloc calloc
 #define mbedtls_free   free
@ -2560,7 +2560,7 @@ void mbedtls_rsa_free( mbedtls_rsa_context *ctx )

 #if defined(MBEDTLS_SELF_TEST)

-#include "mbedtls/sha1.h"
+#include "third_party/mbedtls/include/mbedtls/sha1.h"

 /*
 * Example RSA-1024 keypair, for test purposes
--- a/third_party/mbedtls/library/rsa_internal.c
+++ b/third_party/mbedtls/library/rsa_internal.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Helper functions for the RSA module
 *
@ -18,13 +20,13 @@
 *
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_RSA_C)

-#include "mbedtls/rsa.h"
-#include "mbedtls/bignum.h"
-#include "mbedtls/rsa_internal.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/rsa_internal.h"

 /*
 * Compute RSA prime factors from public and private exponents
--- a/third_party/mbedtls/library/sha1.c
+++ b/third_party/mbedtls/library/sha1.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  FIPS-180-1 compliant SHA-1 implementation
 *
@ -22,21 +24,19 @@
 *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SHA1_C)

-#include "mbedtls/sha1.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
-
-#include <string.h>
+#include "third_party/mbedtls/include/mbedtls/sha1.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/sha256.c
+++ b/third_party/mbedtls/library/sha256.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  FIPS-180-2 compliant SHA-256 implementation
 *
@ -22,22 +24,20 @@
 *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SHA256_C)

-#include "mbedtls/sha256.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/sha256.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
-#include <stdlib.h>
 #define mbedtls_printf printf
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
--- a/third_party/mbedtls/library/sha512.c
+++ b/third_party/mbedtls/library/sha512.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  FIPS-180-2 compliant SHA-384/512 implementation
 *
@ -22,13 +24,15 @@
 *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SHA512_C)

-#include "mbedtls/sha512.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/sha512.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(_MSC_VER) || defined(__WATCOMC__)
  #define UL64(x) x##ui64
@ -36,14 +40,11 @@
  #define UL64(x) x##ULL
 #endif

-#include <string.h>

 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
-#include <stdlib.h>
 #define mbedtls_printf printf
 #define mbedtls_calloc    calloc
 #define mbedtls_free       free
--- a/third_party/mbedtls/library/ssl_cache.c
+++ b/third_party/mbedtls/library/ssl_cache.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  SSL session cache implementation
 *
@ -21,22 +23,20 @@
 * to store and retrieve the session information.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SSL_CACHE_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free      free
 #endif

-#include "mbedtls/ssl_cache.h"
-#include "mbedtls/ssl_internal.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_cache.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_internal.h"

-#include <string.h>

 void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache )
 {
--- a/third_party/mbedtls/library/ssl_ciphersuites.c
+++ b/third_party/mbedtls/library/ssl_ciphersuites.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file ssl_ciphersuites.c
 *
@ -19,20 +21,18 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SSL_TLS_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #endif

-#include "mbedtls/ssl_ciphersuites.h"
-#include "mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_ciphersuites.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"

-#include <string.h>

 /*
 * Ordered from most preferred to least preferred in terms of security.
--- a/third_party/mbedtls/library/ssl_cli.c
+++ b/third_party/mbedtls/library/ssl_cli.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  SSLv3/TLSv1 client-side functions
 *
@ -17,37 +19,35 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SSL_CLI_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free      free
 #endif

-#include "mbedtls/ssl.h"
-#include "mbedtls/ssl_internal.h"
-#include "mbedtls/debug.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/psa/sheesh.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_internal.h"
+#include "third_party/mbedtls/include/mbedtls/debug.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "mbedtls/psa_util.h"
+#include "third_party/mbedtls/include/mbedtls/psa_util.h"
 #endif /* MBEDTLS_USE_PSA_CRYPTO */

-#include <string.h>

-#include <stdint.h>

 #if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
+#include "third_party/mbedtls/include/mbedtls/platform_time.h"
 #endif

 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #endif

 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
--- a/third_party/mbedtls/library/ssl_cookie.c
+++ b/third_party/mbedtls/library/ssl_cookie.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  DTLS cookie callbacks implementation
 *
@ -21,23 +23,22 @@
 * to store and retrieve the session information.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SSL_COOKIE_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
 #define mbedtls_calloc    calloc
 #define mbedtls_free      free
 #endif

-#include "mbedtls/ssl_cookie.h"
-#include "mbedtls/ssl_internal.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_cookie.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_internal.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

-#include <string.h>

 /*
 * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
--- a/third_party/mbedtls/library/ssl_invasive.h
+++ b/third_party/mbedtls/library/ssl_invasive.h
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /**
 * \file ssl_invasive.h
 *
@ -26,8 +28,8 @@
 #ifndef MBEDTLS_SSL_INVASIVE_H
 #define MBEDTLS_SSL_INVASIVE_H

-#include "common.h"
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/library/common.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"

 #if defined(MBEDTLS_TEST_HOOKS) &&              \
    defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
--- a/third_party/mbedtls/library/ssl_msg.c
+++ b/third_party/mbedtls/library/ssl_msg.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Generic SSL/TLS messaging layer functions
 *  (record layer + retransmission state machine)
@ -26,36 +28,35 @@
 *  http://www.ietf.org/rfc/rfc4346.txt
 */

-#include "common.h"
+#include "libc/limits.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SSL_TLS_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free      free
 #endif

-#include "mbedtls/ssl.h"
-#include "mbedtls/ssl_internal.h"
-#include "mbedtls/debug.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/version.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_internal.h"
+#include "third_party/mbedtls/include/mbedtls/debug.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/version.h"

-#include "ssl_invasive.h"
+#include "third_party/mbedtls/library/ssl_invasive.h"

-#include <string.h>

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "mbedtls/psa_util.h"
-#include "psa/crypto.h"
+#include "third_party/mbedtls/include/mbedtls/psa_util.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
 #endif

 #if defined(MBEDTLS_X509_CRT_PARSE_C)
-#include "mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
 #endif

 static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
--- a/third_party/mbedtls/library/ssl_srv.c
+++ b/third_party/mbedtls/library/ssl_srv.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  SSLv3/TLSv1 server-side functions
 *
@ -17,32 +19,30 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SSL_SRV_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free      free
 #endif

-#include "mbedtls/ssl.h"
-#include "mbedtls/ssl_internal.h"
-#include "mbedtls/debug.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_internal.h"
+#include "third_party/mbedtls/include/mbedtls/debug.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

-#include <string.h>

 #if defined(MBEDTLS_ECP_C)
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
 #endif

 #if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
+#include "third_party/mbedtls/include/mbedtls/platform_time.h"
 #endif

 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
--- a/third_party/mbedtls/library/ssl_ticket.c
+++ b/third_party/mbedtls/library/ssl_ticket.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  TLS server tickets callbacks implementation
 *
@ -17,24 +19,22 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SSL_TICKET_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free      free
 #endif

-#include "mbedtls/ssl_internal.h"
-#include "mbedtls/ssl_ticket.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_internal.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_ticket.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

-#include <string.h>

 /*
 * Initialze context
--- a/third_party/mbedtls/library/ssl_tls.c
+++ b/third_party/mbedtls/library/ssl_tls.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  SSLv3/TLSv1 shared functions
 *
@ -25,34 +27,32 @@
 *  http://www.ietf.org/rfc/rfc4346.txt
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SSL_TLS_C)

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
 #define mbedtls_calloc    calloc
 #define mbedtls_free      free
 #endif

-#include "mbedtls/ssl.h"
-#include "mbedtls/ssl_internal.h"
-#include "mbedtls/debug.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/version.h"
-
-#include <string.h>
+#include "third_party/mbedtls/include/psa/sheesh.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_internal.h"
+#include "third_party/mbedtls/include/mbedtls/debug.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/version.h"

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "mbedtls/psa_util.h"
-#include "psa/crypto.h"
+#include "third_party/mbedtls/include/mbedtls/psa_util.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
 #endif

 #if defined(MBEDTLS_X509_CRT_PARSE_C)
-#include "mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
 #endif

 #if defined(MBEDTLS_SSL_PROTO_DTLS)
--- a/third_party/mbedtls/library/ssl_tls13_keys.c
+++ b/third_party/mbedtls/library/ssl_tls13_keys.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  TLS 1.3 key schedule
 *
@ -17,16 +19,14 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)

-#include "mbedtls/hkdf.h"
-#include "mbedtls/ssl_internal.h"
-#include "ssl_tls13_keys.h"
+#include "third_party/mbedtls/include/mbedtls/hkdf.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_internal.h"
+#include "third_party/mbedtls/library/ssl_tls13_keys.h"

-#include <stdint.h>
-#include <string.h>

 #define MBEDTLS_SSL_TLS1_3_LABEL( name, string )       \
    .name = string,
--- a/third_party/mbedtls/library/ssl_tls13_keys.h
+++ b/third_party/mbedtls/library/ssl_tls13_keys.h
@ -1,3 +1,7 @@
+/* clang-format off */
+#include "third_party/mbedtls/include/mbedtls/ssl_internal.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
+
 /*
 *  TLS 1.3 key schedule
 *
--- a/third_party/mbedtls/library/threading.c
+++ b/third_party/mbedtls/library/threading.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Threading abstraction layer
 *
@ -25,18 +27,17 @@
 #define _POSIX_C_SOURCE 200112L
 #endif

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_THREADING_C)

-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"

 #if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)

 #if !defined(_WIN32) && (defined(unix) || \
    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
    defined(__MACH__)))
-#include <unistd.h>
 #endif /* !_WIN32 && (unix || __unix || __unix__ ||
        * (__APPLE__ && __MACH__)) */

--- a/third_party/mbedtls/library/timing.c
+++ b/third_party/mbedtls/library/timing.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Portable interface to the CPU cycle counter
 *
@ -17,18 +19,19 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "libc/calls/calls.h"
+#include "libc/time/time.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
 #define mbedtls_printf     printf
 #endif

 #if defined(MBEDTLS_TIMING_C)

-#include "mbedtls/timing.h"
+#include "third_party/mbedtls/include/mbedtls/timing.h"

 #if !defined(MBEDTLS_TIMING_ALT)

@ -44,8 +47,6 @@

 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)

-#include <windows.h>
-#include <process.h>

 struct _hr_time
 {
@ -54,12 +55,6 @@ struct _hr_time

 #else

-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <signal.h>
-#include <time.h>
-
 struct _hr_time
 {
    struct timeval start;
--- a/third_party/mbedtls/library/version.c
+++ b/third_party/mbedtls/library/version.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Version information
 *
@ -17,12 +19,12 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_VERSION_C)

-#include "mbedtls/version.h"
-#include <string.h>
+#include "third_party/mbedtls/include/mbedtls/version.h"

 unsigned int mbedtls_version_get_number( void )
 {
--- a/third_party/mbedtls/library/version_features.c
+++ b/third_party/mbedtls/library/version_features.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  Version feature information
 *
@ -17,13 +19,12 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "libc/str/str.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_VERSION_C)

-#include "mbedtls/version.h"
-
-#include <string.h>
+#include "third_party/mbedtls/include/mbedtls/version.h"

 static const char * const features[] = {
 #if defined(MBEDTLS_VERSION_FEATURES)
--- a/third_party/mbedtls/library/x509.c
+++ b/third_party/mbedtls/library/x509.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  X.509 common functions for parsing and verification
 *
@ -27,27 +29,24 @@
 *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
 */

-#include "common.h"
+#include "libc/time/struct/tm.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_X509_USE_C)

-#include "mbedtls/x509.h"
-#include "mbedtls/asn1.h"
-#include "mbedtls/error.h"
-#include "mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/x509.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"

-#include <stdio.h>
-#include <string.h>

 #if defined(MBEDTLS_PEM_PARSE_C)
-#include "mbedtls/pem.h"
+#include "third_party/mbedtls/include/mbedtls/pem.h"
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdio.h>
-#include <stdlib.h>
 #define mbedtls_free      free
 #define mbedtls_calloc    calloc
 #define mbedtls_printf    printf
@ -55,11 +54,10 @@
 #endif

 #if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
+#include "third_party/mbedtls/include/mbedtls/platform_time.h"
 #endif
 #if defined(MBEDTLS_HAVE_TIME_DATE)
-#include "mbedtls/platform_util.h"
-#include <time.h>
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #endif

 #define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); }
@ -998,8 +996,8 @@ int mbedtls_x509_time_is_future( const mbedtls_x509_time *from )

 #if defined(MBEDTLS_SELF_TEST)

-#include "mbedtls/x509_crt.h"
-#include "mbedtls/certs.h"
+#include "third_party/mbedtls/include/mbedtls/x509_crt.h"
+#include "third_party/mbedtls/include/mbedtls/certs.h"

 /*
 * Checkup routine
--- a/third_party/mbedtls/library/x509_create.c
+++ b/third_party/mbedtls/library/x509_create.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  X.509 base functions for creating certificates / CSRs
 *
@ -17,16 +19,15 @@
 *  limitations under the License.
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_X509_CREATE_C)

-#include "mbedtls/x509.h"
-#include "mbedtls/asn1write.h"
-#include "mbedtls/error.h"
-#include "mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/x509.h"
+#include "third_party/mbedtls/include/mbedtls/asn1write.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"

-#include <string.h>

 /* Structure linking OIDs for X.509 DN AttributeTypes to their
 * string representations and default string encodings used by Mbed TLS. */
--- a/third_party/mbedtls/library/x509_crl.c
+++ b/third_party/mbedtls/library/x509_crl.c
@ -1,3 +1,5 @@
+/* clang-format off */
+
 /*
 *  X.509 Certidicate Revocation List (CRL) parsing
 *
@ -27,39 +29,33 @@
 *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
 */

-#include "common.h"
+#include "third_party/mbedtls/library/common.h"

 #if defined(MBEDTLS_X509_CRL_PARSE_C)

-#include "mbedtls/x509_crl.h"
-#include "mbedtls/error.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/x509_crl.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"

-#include <string.h>

 #if defined(MBEDTLS_PEM_PARSE_C)
-#include "mbedtls/pem.h"
+#include "third_party/mbedtls/include/mbedtls/pem.h"
 #endif

 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
-#include <stdlib.h>
-#include <stdio.h>
 #define mbedtls_free       free
 #define mbedtls_calloc    calloc
 #define mbedtls_snprintf   snprintf
 #endif

 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-#include <windows.h>
 #else
-#include <time.h>
 #endif

 #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
-#include <stdio.h>
 #endif

 /*
--- a/Show more
+++ b/Show more