Get Mbed TLS to build

This change configures Mbed TLS to support the fewest number of things possible required to run an HTTPS server that caters to the sweet spot of being legacy enough to support the vast majority of user agents but modern enough that Chrome and Firefox remain happy. That should entail - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_128_CBC_SHA Even though other suites still get included so what usually happens in practice is ECDHE-RSA-AES256-GCM-SHA384 under TLS 1.2 will be selected and the binary footprint is reasonable, and should cost us about 200kb
2025-02-07 15:03:34 +00:00 · 2021-06-15 19:52:02 -07:00 · 2021-06-15 19:52:02 -07:00 · d0ac995dc0
commit d0ac995dc0
parent 19bd27358a
204 changed files with 1698 additions and 1490 deletions
--- a/1
+++ b/1
@ -137,6 +137,7 @@ include libc/testlib/testlib.mk
 include tool/viz/lib/vizlib.mk
 include third_party/lua/lua.mk
 include third_party/sqlite3/sqlite3.mk
 include third_party/mbedtls/mbedtls.mk
 include third_party/quickjs/quickjs.mk
 include third_party/lz4cli/lz4cli.mk
 include third_party/infozip/infozip.mk
--- a/examples/examples.mk
+++ b/examples/examples.mk
@ -69,6 +69,7 @@ EXAMPLES_DIRECTDEPS =						\
 	THIRD_PARTY_DLMALLOC					\
 	THIRD_PARTY_GDTOA					\
 	THIRD_PARTY_GETOPT					\
 	THIRD_PARTY_MBEDTLS					\
 	THIRD_PARTY_LUA						\
 	THIRD_PARTY_MUSL					\
 	THIRD_PARTY_STB						\
--- a/examples/tls.c
+++ b/examples/tls.c
@ -0,0 +1,153 @@
 #if 0
 /*─────────────────────────────────────────────────────────────────╗
 │ To the extent possible under law, Justine Tunney has waived      │
 │ all copyright and related or neighboring rights to this file,    │
 │ as it is written in the following disclaimers:                   │
 │   • http://unlicense.org/                                        │
 │   • http://creativecommons.org/publicdomain/zero/1.0/            │
 ╚─────────────────────────────────────────────────────────────────*/
 #endif
 #include "libc/log/check.h"
 #include "libc/stdio/stdio.h"
 #include "libc/str/str.h"
 #include "third_party/mbedtls/include/mbedtls/ctr_drbg.h"
 #include "third_party/mbedtls/include/mbedtls/dhm.h"
 #include "third_party/mbedtls/include/mbedtls/entropy.h"
 #include "third_party/mbedtls/include/mbedtls/error.h"
 #include "third_party/mbedtls/include/mbedtls/net_sockets.h"
 #include "third_party/mbedtls/include/mbedtls/pk.h"
 #include "third_party/mbedtls/include/mbedtls/platform.h"
 #include "third_party/mbedtls/include/mbedtls/ssl.h"
 #include "third_party/mbedtls/include/mbedtls/ssl_cache.h"
 #include "third_party/mbedtls/include/mbedtls/x509_crt.h"
 #define R(e) \
  if ((r = e)) goto Die
 char buf[1024], ebuf[100];
 mbedtls_net_context server, client;
 mbedtls_x509_crt cert;
 mbedtls_x509_crt cacert;
 mbedtls_entropy_context entropy;
 mbedtls_ssl_cache_context cache;
 mbedtls_ctr_drbg_context ctrdrbg;
 mbedtls_pk_context pkey;
 mbedtls_ssl_config conf;
 mbedtls_ssl_context ssl;
 void OnDebug(void *ctx, int lev, const char *file, int line, const char *str) {
  fprintf(stderr, "%s:%04d: %s", file, line, str);
  fflush(stderr);
 }
 int main(int argc, char *argv[]) {
  int r, len;
  system("openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem "
         "-days 3650 -nodes -subj '/CN=localhost'");
  mbedtls_net_init(&server);
  mbedtls_net_init(&client);
  mbedtls_ssl_init(&ssl);
  mbedtls_ssl_config_init(&conf);
  mbedtls_ssl_cache_init(&cache);
  mbedtls_entropy_init(&entropy);
  mbedtls_x509_crt_init(&cert);
  mbedtls_pk_init(&pkey);
  mbedtls_ctr_drbg_init(&ctrdrbg);
  R(mbedtls_pk_parse_keyfile(&pkey, "key.pem", 0));
  R(mbedtls_x509_crt_parse_file(&cert, "cert.pem"));
  R(mbedtls_net_bind(&server, "0.0.0.0", "8080", MBEDTLS_NET_PROTO_TCP));
  R(mbedtls_ctr_drbg_seed(&ctrdrbg, mbedtls_entropy_func, &entropy,
                          (const unsigned char *)"redbean", 7));
  R(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER,
                                MBEDTLS_SSL_TRANSPORT_STREAM,
                                MBEDTLS_SSL_PRESET_DEFAULT));
  mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctrdrbg);
  mbedtls_ssl_conf_dbg(&conf, OnDebug, 0);
  mbedtls_ssl_conf_session_cache(&conf, &cache, mbedtls_ssl_cache_get,
                                 mbedtls_ssl_cache_set);
  R(mbedtls_ssl_conf_own_cert(&conf, &cert, &pkey));
  R(mbedtls_ssl_setup(&ssl, &conf));
 Reset:
  mbedtls_net_free(&client);
  R(mbedtls_ssl_session_reset(&ssl));
  R(mbedtls_net_accept(&server, &client, 0, 0, 0));
  mbedtls_ssl_set_bio(&ssl, &client, mbedtls_net_send, mbedtls_net_recv, 0);
  while ((r = mbedtls_ssl_handshake(&ssl)) != 0) {
    if (r != MBEDTLS_ERR_SSL_WANT_READ && r != MBEDTLS_ERR_SSL_WANT_WRITE) {
      printf(" failed\n  ! mbedtls_ssl_handshake returned %d\n", r);
      goto Reset;
    }
  }
  do {
    len = sizeof(buf) - 1;
    memset(buf, 0, sizeof(buf));
    r = mbedtls_ssl_read(&ssl, (void *)buf, len);
    if (r == MBEDTLS_ERR_SSL_WANT_READ || r == MBEDTLS_ERR_SSL_WANT_WRITE)
      continue;
    if (r <= 0) {
      switch (r) {
        case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
          printf("connection was closed gracefully\n");
          break;
        case MBEDTLS_ERR_NET_CONN_RESET:
          printf("connection was reset by peer\n");
          break;
        default:
          printf("mbedtls_ssl_read returned -0x%x\n", -r);
          break;
      }
      break;
    }
    len = r;
    printf("%d bytes read\n%s", len, buf);
    if (r > 0) break;
  } while (1);
  len = sprintf(buf,
                "HTTP/1.0 200 OK\r\n"
                "Content-Type: text/html\r\n"
                "\r\n"
                "<h2>Mbed TLS Test Server</h2>\r\n"
                "<p>Successful connection using: %s\r\n",
                mbedtls_ssl_get_ciphersuite(&ssl));
  while ((r = mbedtls_ssl_write(&ssl, (void *)buf, len)) <= 0) {
    if (r == MBEDTLS_ERR_NET_CONN_RESET) {
      printf("failed\n  ! peer closed the connection\n");
      goto Reset;
    }
    if (r != MBEDTLS_ERR_SSL_WANT_READ && r != MBEDTLS_ERR_SSL_WANT_WRITE) {
      printf("failed\n  ! mbedtls_ssl_write returned %d\n", r);
      exit(1);
    }
  }
  while ((r = mbedtls_ssl_close_notify(&ssl)) < 0) {
    if (r != MBEDTLS_ERR_SSL_WANT_READ && r != MBEDTLS_ERR_SSL_WANT_WRITE) {
      printf("error: mbedtls_ssl_close_notify returned %d\n", r);
      goto Reset;
    }
  }
  printf("ok\n");
  r = 0;
  goto Reset;
  mbedtls_net_free(&client);
  mbedtls_net_free(&server);
  mbedtls_x509_crt_free(&cert);
  mbedtls_pk_free(&pkey);
  mbedtls_ssl_cache_free(&cache);
  return 0;
 Die:
  mbedtls_strerror(r, ebuf, 100);
  printf("last error was: %d - %s\n", r, ebuf);
  return 1;
 }
--- a/libc/sock/sock.h
+++ b/libc/sock/sock.h
@ -1,6 +1,8 @@
 #ifndef COSMOPOLITAN_LIBC_SOCK_SOCK_H_
 #define COSMOPOLITAN_LIBC_SOCK_SOCK_H_
 #include "libc/bits/bswap.h"
 #include "libc/calls/struct/sigset.h"
 #include "libc/calls/struct/timespec.h"
 #if !(__ASSEMBLER__ + __LINKER__ + 0)
 COSMOPOLITAN_C_START_
 /*───────────────────────────────────────────────────────────────────────────│─╗
@ -23,12 +25,6 @@ COSMOPOLITAN_C_START_
 #define htonl(u32) bswap_32(u32)
 #define ntohl(u32) bswap_32(u32)
 struct iovec;
 struct sigset;
 struct timespec;
 struct timeval;
 struct addrinfo;
 struct in_addr { /* ARPA ABI */
  /* e.g. 127|0<<8|0<<16|1<<24 or inet_pton(AF_INET, "127.0.0.1", &s_addr) */
  uint32_t s_addr;
@ -150,7 +146,6 @@ int accept(int, void *, uint32_t *) nodiscard;
 int accept4(int, void *, uint32_t *, int) nodiscard;
 int bind(int, const void *, uint32_t);
 int connect(int, const void *, uint32_t);
 int socketconnect(const struct addrinfo *, int);
 int listen(int, int);
 int shutdown(int, int);
 int getsockname(int, void *, uint32_t *) paramsnonnull();
--- a/third_party/mbedtls/include/mbedtls/aes.h
+++ b/third_party/mbedtls/include/mbedtls/aes.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file aes.h
 *
@ -41,13 +43,11 @@
 #define MBEDTLS_AES_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 /* padlock.c and aesni.c rely on these values! */
 #define MBEDTLS_AES_ENCRYPT     1 /**< AES encryption. */
@ -111,7 +111,7 @@ typedef struct mbedtls_aes_xts_context
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 #else  /* MBEDTLS_AES_ALT */
-#include "aes_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/aes_alt.h" */
 #endif /* MBEDTLS_AES_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/aesni.h
+++ b/third_party/mbedtls/include/mbedtls/aesni.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file aesni.h
 *
@ -26,12 +28,12 @@
 #define MBEDTLS_AESNI_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
 #define MBEDTLS_AESNI_AES      0x02000000u
 #define MBEDTLS_AESNI_CLMUL    0x00000002u
--- a/third_party/mbedtls/include/mbedtls/arc4.h
+++ b/third_party/mbedtls/include/mbedtls/arc4.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file arc4.h
 *
@ -27,12 +29,11 @@
 #define MBEDTLS_ARC4_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 /* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED                  -0x0019  /**< ARC4 hardware accelerator failed. */
@ -61,7 +62,7 @@ typedef struct mbedtls_arc4_context
 mbedtls_arc4_context;
 #else  /* MBEDTLS_ARC4_ALT */
-#include "arc4_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/arc4_alt.h" */
 #endif /* MBEDTLS_ARC4_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/aria.h
+++ b/third_party/mbedtls/include/mbedtls/aria.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file aria.h
 *
@ -30,15 +32,13 @@
 #define MBEDTLS_ARIA_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
 #define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */
@ -81,7 +81,7 @@ typedef struct mbedtls_aria_context
 mbedtls_aria_context;
 #else  /* MBEDTLS_ARIA_ALT */
-#include "aria_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/aria_alt.h" */
 #endif /* MBEDTLS_ARIA_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/asn1.h
+++ b/third_party/mbedtls/include/mbedtls/asn1.h
@ -1,3 +1,4 @@
 /* clang-format off */
 /**
 * \file asn1.h
 *
@ -23,15 +24,14 @@
 #define MBEDTLS_ASN1_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
 #endif
 /**
--- a/third_party/mbedtls/include/mbedtls/asn1write.h
+++ b/third_party/mbedtls/include/mbedtls/asn1write.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file asn1write.h
 *
@ -23,12 +25,12 @@
 #define MBEDTLS_ASN1_WRITE_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
 #define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
    do                                                  \
--- a/third_party/mbedtls/include/mbedtls/base64.h
+++ b/third_party/mbedtls/include/mbedtls/base64.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file base64.h
 *
@ -23,12 +25,11 @@
 #define MBEDTLS_BASE64_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
 #define MBEDTLS_ERR_BASE64_INVALID_CHARACTER              -0x002C  /**< Invalid character in input. */
--- a/third_party/mbedtls/include/mbedtls/bignum.h
+++ b/third_party/mbedtls/include/mbedtls/bignum.h
@ -1,3 +1,4 @@
 /* clang-format off */
 /**
 * \file bignum.h
 *
@ -21,18 +22,16 @@
 */
 #ifndef MBEDTLS_BIGNUM_H
 #define MBEDTLS_BIGNUM_H
 #include "libc/stdio/stdio.h"
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 #if defined(MBEDTLS_FS_IO)
 #include <stdio.h>
 #endif
 #define MBEDTLS_ERR_MPI_FILE_IO_ERROR                     -0x0002  /**< An error occurred while reading from or writing to a file. */
--- a/third_party/mbedtls/include/mbedtls/blowfish.h
+++ b/third_party/mbedtls/include/mbedtls/blowfish.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file blowfish.h
 *
@ -23,15 +25,13 @@
 #define MBEDTLS_BLOWFISH_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #define MBEDTLS_BLOWFISH_ENCRYPT     1
 #define MBEDTLS_BLOWFISH_DECRYPT     0
@ -70,7 +70,7 @@ typedef struct mbedtls_blowfish_context
 mbedtls_blowfish_context;
 #else  /* MBEDTLS_BLOWFISH_ALT */
-#include "blowfish_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/blowfish_alt.h" */
 #endif /* MBEDTLS_BLOWFISH_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/bn_mul.h
+++ b/third_party/mbedtls/include/mbedtls/bn_mul.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file bn_mul.h
 *
@ -37,12 +39,12 @@
 #define MBEDTLS_BN_MUL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
 #if defined(MBEDTLS_HAVE_ASM)
--- a/third_party/mbedtls/include/mbedtls/camellia.h
+++ b/third_party/mbedtls/include/mbedtls/camellia.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file camellia.h
 *
@ -23,15 +25,13 @@
 #define MBEDTLS_CAMELLIA_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #define MBEDTLS_CAMELLIA_ENCRYPT     1
 #define MBEDTLS_CAMELLIA_DECRYPT     0
@ -66,7 +66,7 @@ typedef struct mbedtls_camellia_context
 mbedtls_camellia_context;
 #else  /* MBEDTLS_CAMELLIA_ALT */
-#include "camellia_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/camellia_alt.h" */
 #endif /* MBEDTLS_CAMELLIA_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/ccm.h
+++ b/third_party/mbedtls/include/mbedtls/ccm.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ccm.h
 *
@ -48,12 +50,12 @@
 #define MBEDTLS_CCM_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
 #define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F /**< Authenticated decryption failed. */
@ -80,7 +82,7 @@ typedef struct mbedtls_ccm_context
 mbedtls_ccm_context;
 #else  /* MBEDTLS_CCM_ALT */
-#include "ccm_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/ccm_alt.h" */
 #endif /* MBEDTLS_CCM_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/certs.h
+++ b/third_party/mbedtls/include/mbedtls/certs.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file certs.h
 *
@ -23,12 +25,11 @@
 #define MBEDTLS_CERTS_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/include/mbedtls/chacha20.h
+++ b/third_party/mbedtls/include/mbedtls/chacha20.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file chacha20.h
 *
@ -33,13 +35,11 @@
 #define MBEDTLS_CHACHA20_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stdint.h>
 #include <stddef.h>
 #define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA         -0x0051 /**< Invalid input parameter(s). */
@ -66,7 +66,7 @@ typedef struct mbedtls_chacha20_context
 mbedtls_chacha20_context;
 #else  /* MBEDTLS_CHACHA20_ALT */
-#include "chacha20_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/chacha20_alt.h" */
 #endif /* MBEDTLS_CHACHA20_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/chachapoly.h
+++ b/third_party/mbedtls/include/mbedtls/chachapoly.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file chachapoly.h
 *
@ -33,13 +35,13 @@
 #define MBEDTLS_CHACHAPOLY_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 /* for shared error codes */
-#include "mbedtls/poly1305.h"
+#include "third_party/mbedtls/include/mbedtls/poly1305.h"
 #define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054 /**< The requested operation is not permitted in the current state. */
 #define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056 /**< Authenticated decryption failed: data was not authentic. */
@ -57,7 +59,7 @@ mbedtls_chachapoly_mode_t;
 #if !defined(MBEDTLS_CHACHAPOLY_ALT)
-#include "mbedtls/chacha20.h"
+#include "third_party/mbedtls/include/mbedtls/chacha20.h"
 typedef struct mbedtls_chachapoly_context
 {
@ -71,7 +73,7 @@ typedef struct mbedtls_chachapoly_context
 mbedtls_chachapoly_context;
 #else /* !MBEDTLS_CHACHAPOLY_ALT */
-#include "chachapoly_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/chachapoly_alt.h" */
 #endif /* !MBEDTLS_CHACHAPOLY_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/check_config.h
+++ b/third_party/mbedtls/include/mbedtls/check_config.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file check_config.h
 *
@ -32,7 +34,6 @@
 * We assume CHAR_BIT is 8 in many places. In practice, this is true on our
 * target platforms, so not an issue, but let's just be extra sure.
 */
 #include <limits.h>
 #if CHAR_BIT != 8
 #error "mbed TLS requires a platform with 8-bit chars"
 #endif
--- a/third_party/mbedtls/include/mbedtls/cipher.h
+++ b/third_party/mbedtls/include/mbedtls/cipher.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file cipher.h
 *
@ -28,13 +30,12 @@
 #define MBEDTLS_CIPHER_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include <stddef.h>
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #include "mbedtls/platform_util.h"
 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 #define MBEDTLS_CIPHER_MODE_AEAD
--- a/third_party/mbedtls/include/mbedtls/cipher_internal.h
+++ b/third_party/mbedtls/include/mbedtls/cipher_internal.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file cipher_internal.h
 *
@ -25,15 +27,15 @@
 #define MBEDTLS_CIPHER_WRAP_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 #ifdef __cplusplus
--- a/third_party/mbedtls/include/mbedtls/cmac.h
+++ b/third_party/mbedtls/include/mbedtls/cmac.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file cmac.h
 *
@ -27,12 +29,12 @@
 #define MBEDTLS_CMAC_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #ifdef __cplusplus
 extern "C" {
@ -69,7 +71,7 @@ struct mbedtls_cmac_context_t
 };
 #else  /* !MBEDTLS_CMAC_ALT */
-#include "cmac_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/cmac_alt.h" */
 #endif /* !MBEDTLS_CMAC_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/compat-1.3.h
+++ b/third_party/mbedtls/include/mbedtls/compat-1.3.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file compat-1.3.h
 *
@ -24,7 +26,7 @@
 */
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
--- a/third_party/mbedtls/include/mbedtls/config.h
+++ b/third_party/mbedtls/include/mbedtls/config.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file config.h
 *
@ -115,7 +117,7 @@
 *
 * Uncomment if the CPU supports SSE2 (IA-32 specific).
 */
-//#define MBEDTLS_HAVE_SSE2
+#define MBEDTLS_HAVE_SSE2
 /**
 * \def MBEDTLS_HAVE_TIME
@ -253,7 +255,7 @@
 *
 * Uncomment to get errors on using deprecated functions and features.
 */
-//#define MBEDTLS_DEPRECATED_REMOVED
+#define MBEDTLS_DEPRECATED_REMOVED
 /**
 * \def MBEDTLS_CHECK_PARAMS
@ -563,7 +565,7 @@
 *
 * Uncomment to use your own hardware entropy collector.
 */
-//#define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
 /**
 * \def MBEDTLS_AES_ROM_TABLES
@ -583,7 +585,7 @@
 * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
 *
 */
-//#define MBEDTLS_AES_ROM_TABLES
+#define MBEDTLS_AES_ROM_TABLES
 /**
 * \def MBEDTLS_AES_FEWER_TABLES
@ -628,28 +630,28 @@
 *
 * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
 */
-#define MBEDTLS_CIPHER_MODE_CFB
+//#define MBEDTLS_CIPHER_MODE_CFB
 /**
 * \def MBEDTLS_CIPHER_MODE_CTR
 *
 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
 */
-#define MBEDTLS_CIPHER_MODE_CTR
+//#define MBEDTLS_CIPHER_MODE_CTR
 /**
 * \def MBEDTLS_CIPHER_MODE_OFB
 *
 * Enable Output Feedback mode (OFB) for symmetric ciphers.
 */
-#define MBEDTLS_CIPHER_MODE_OFB
+//#define MBEDTLS_CIPHER_MODE_OFB
 /**
 * \def MBEDTLS_CIPHER_MODE_XTS
 *
 * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
 */
-#define MBEDTLS_CIPHER_MODE_XTS
+//#define MBEDTLS_CIPHER_MODE_XTS
 /**
 * \def MBEDTLS_CIPHER_NULL_CIPHER
@ -849,7 +851,7 @@
 * defined in `ecdh.h`). For most applications, the choice of format makes
 * no difference, since all library functions can work with either format,
 * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE.
-
+ *
 * The new format used when this option is disabled is smaller
 * (56 bytes on a 32-bit platform). In future versions of the library, it
 * will support alternative implementations of ECDH operations.
@ -866,7 +868,7 @@
 *       library may modify the way the ECDH context layout is configured
 *       and may modify the layout of the new context type.
 */
-#define MBEDTLS_ECDH_LEGACY_CONTEXT
+//#define MBEDTLS_ECDH_LEGACY_CONTEXT
 /**
 * \def MBEDTLS_ECDSA_DETERMINISTIC
@ -902,7 +904,7 @@
 *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
 */
-#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 /**
 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
@ -933,7 +935,7 @@
 *             See dhm.h for more details.
 *
 */
-#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@ -953,7 +955,7 @@
 *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
 */
-#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 /**
 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
@ -978,7 +980,7 @@
 *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
 */
-#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
 /**
 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
@ -1039,7 +1041,7 @@
 *             See dhm.h for more details.
 *
 */
-#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@ -1088,7 +1090,7 @@
 *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
 */
-#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
@ -1112,7 +1114,7 @@
 *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
 *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
 */
-#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
@ -1136,7 +1138,7 @@
 *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
 *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
 */
-#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
@ -1446,7 +1448,7 @@
 *
 * Enable the checkup functions (*_self_test).
 */
-#define MBEDTLS_SELF_TEST
+//#define MBEDTLS_SELF_TEST
 /**
 * \def MBEDTLS_SHA256_SMALLER
@ -1578,7 +1580,7 @@
 *
 * Comment to disable the context serialization APIs.
 */
-#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
+//#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
 /**
 * \def MBEDTLS_SSL_DEBUG_ALL
@ -1695,7 +1697,7 @@
 *
 * Comment this macro to disable 1/n-1 record splitting.
 */
-#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
+//#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
 /**
 * \def MBEDTLS_SSL_RENEGOTIATION
@ -1776,7 +1778,7 @@
 *
 * Comment this macro to disable support for TLS 1.0
 */
-#define MBEDTLS_SSL_PROTO_TLS1
+//#define MBEDTLS_SSL_PROTO_TLS1
 /**
 * \def MBEDTLS_SSL_PROTO_TLS1_1
@ -1788,7 +1790,7 @@
 *
 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
 */
-#define MBEDTLS_SSL_PROTO_TLS1_1
+//#define MBEDTLS_SSL_PROTO_TLS1_1
 /**
 * \def MBEDTLS_SSL_PROTO_TLS1_2
@ -1834,7 +1836,7 @@
 *
 * Comment this macro to disable support for DTLS
 */
-#define MBEDTLS_SSL_PROTO_DTLS
+//#define MBEDTLS_SSL_PROTO_DTLS
 /**
 * \def MBEDTLS_SSL_ALPN
@ -1843,7 +1845,7 @@
 *
 * Comment this macro to disable support for ALPN.
 */
-#define MBEDTLS_SSL_ALPN
+//#define MBEDTLS_SSL_ALPN
 /**
 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
@ -1858,7 +1860,7 @@
 *
 * Comment this to disable anti-replay in DTLS.
 */
-#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
+//#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
 /**
 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
@ -1876,7 +1878,7 @@
 *
 * Comment this to disable support for HelloVerifyRequest.
 */
-#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
+//#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
 /**
 * \def MBEDTLS_SSL_DTLS_SRTP
@ -1923,7 +1925,7 @@
 *
 * Comment this to disable support for clients reusing the source port.
 */
-#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+//#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
 /**
 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
@ -1934,7 +1936,7 @@
 *
 * Requires: MBEDTLS_SSL_PROTO_DTLS
 */
-#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+//#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
 /**
 * \def MBEDTLS_SSL_SESSION_TICKETS
@ -2148,7 +2150,7 @@
 *
 * Comment this to disable run-time checking and save ROM space
 */
-#define MBEDTLS_VERSION_FEATURES
+//#define MBEDTLS_VERSION_FEATURES
 /**
 * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
@ -2216,7 +2218,7 @@
 *
 * Comment to skip extendedKeyUsage checking for certificates.
 */
-#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+//#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 /**
 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
@ -2376,7 +2378,7 @@
 *            it, and considering stronger ciphers instead.
 *
 */
-#define MBEDTLS_ARC4_C
+//#define MBEDTLS_ARC4_C
 /**
 * \def MBEDTLS_ASN1_PARSE_C
@ -2442,7 +2444,7 @@
 *
 * Module:  library/blowfish.c
 */
-#define MBEDTLS_BLOWFISH_C
+//#define MBEDTLS_BLOWFISH_C
 /**
 * \def MBEDTLS_CAMELLIA_C
@ -2497,7 +2499,7 @@
 *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
 *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
 */
-#define MBEDTLS_CAMELLIA_C
+//#define MBEDTLS_CAMELLIA_C
 /**
 * \def MBEDTLS_ARIA_C
@ -2563,7 +2565,7 @@
 * This module enables the AES-CCM ciphersuites, if other requisites are
 * enabled as well.
 */
-#define MBEDTLS_CCM_C
+//#define MBEDTLS_CCM_C
 /**
 * \def MBEDTLS_CERTS_C
@ -2575,7 +2577,7 @@
 *
 * This module is used for testing (ssl_client/server).
 */
-#define MBEDTLS_CERTS_C
+/* #define MBEDTLS_CERTS_C */
 /**
 * \def MBEDTLS_CHACHA20_C
@ -2584,7 +2586,7 @@
 *
 * Module:  library/chacha20.c
 */
-#define MBEDTLS_CHACHA20_C
+/* #define MBEDTLS_CHACHA20_C */
 /**
 * \def MBEDTLS_CHACHAPOLY_C
@ -2595,7 +2597,7 @@
 *
 * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
 */
-#define MBEDTLS_CHACHAPOLY_C
+/* #define MBEDTLS_CHACHAPOLY_C */
 /**
 * \def MBEDTLS_CIPHER_C
@ -2654,7 +2656,7 @@
 *
 * This module provides debugging functions.
 */
-#define MBEDTLS_DEBUG_C
+//#define MBEDTLS_DEBUG_C
 /**
 * \def MBEDTLS_DES_C
@ -2683,7 +2685,7 @@
 * \warning   DES is considered a weak cipher and its use constitutes a
 *            security risk. We recommend considering stronger ciphers instead.
 */
-#define MBEDTLS_DES_C
+//#define MBEDTLS_DES_C
 /**
 * \def MBEDTLS_DHM_C
@ -2704,7 +2706,7 @@
 *             See dhm.h for more details.
 *
 */
-#define MBEDTLS_DHM_C
+//#define MBEDTLS_DHM_C
 /**
 * \def MBEDTLS_ECDH_C
@ -2737,7 +2739,7 @@
 *           and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a
 *           short Weierstrass curve.
 */
-#define MBEDTLS_ECDSA_C
+//#define MBEDTLS_ECDSA_C
 /**
 * \def MBEDTLS_ECJPAKE_C
@ -2943,7 +2945,7 @@
 *            it, and considering stronger message digests instead.
 *
 */
-#define MBEDTLS_MD5_C
+//#define MBEDTLS_MD5_C
 /**
 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
@ -3015,7 +3017,7 @@
 *
 * This modules adds support for the VIA PadLock on x86.
 */
-#define MBEDTLS_PADLOCK_C
+//#define MBEDTLS_PADLOCK_C
 /**
 * \def MBEDTLS_PEM_PARSE_C
@ -3218,7 +3220,7 @@
 *           either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
 *           the PSA ITS interface
 */
-#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
 /**
 * \def MBEDTLS_PSA_ITS_FILE_C
@ -3230,7 +3232,7 @@
 *
 * Requires: MBEDTLS_FS_IO
 */
-#define MBEDTLS_PSA_ITS_FILE_C
+//#define MBEDTLS_PSA_ITS_FILE_C
 /**
 * \def MBEDTLS_RIPEMD160_C
@ -3241,7 +3243,7 @@
 * Caller:  library/md.c
 *
 */
-#define MBEDTLS_RIPEMD160_C
+//#define MBEDTLS_RIPEMD160_C
 /**
 * \def MBEDTLS_RSA_C
@ -3558,7 +3560,7 @@
 * Module:  library/xtea.c
 * Caller:
 */
-#define MBEDTLS_XTEA_C
+//#define MBEDTLS_XTEA_C
 /* \} name SECTION: mbed TLS modules */
@ -3956,9 +3958,9 @@
 #endif
 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
-#include "mbedtls/config_psa.h"
+#include "third_party/mbedtls/include/mbedtls/config_psa.h"
 #endif
-#include "mbedtls/check_config.h"
+#include "third_party/mbedtls/include/mbedtls/check_config.h"
 #endif /* MBEDTLS_CONFIG_H */
--- a/third_party/mbedtls/include/mbedtls/config_psa.h
+++ b/third_party/mbedtls/include/mbedtls/config_psa.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file mbedtls/config_psa.h
 * \brief PSA crypto configuration options (set of defines)
@ -31,7 +33,7 @@
 #define MBEDTLS_CONFIG_PSA_H
 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
-#include "psa/crypto_config.h"
+#include "third_party/mbedtls/include/psa/crypto_config.h"
 #endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */
 #ifdef __cplusplus
--- a/third_party/mbedtls/include/mbedtls/ctr_drbg.h
+++ b/third_party/mbedtls/include/mbedtls/ctr_drbg.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ctr_drbg.h
 *
@ -42,15 +44,15 @@
 #define MBEDTLS_CTR_DRBG_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
 #if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
 #endif
 #define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED        -0x0034  /**< The entropy source failed. */
--- a/third_party/mbedtls/include/mbedtls/debug.h
+++ b/third_party/mbedtls/include/mbedtls/debug.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file debug.h
 *
@ -23,15 +25,15 @@
 #define MBEDTLS_DEBUG_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
 #if defined(MBEDTLS_ECP_C)
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
 #endif
 #if defined(MBEDTLS_DEBUG_C)
@ -116,7 +118,6 @@
 * This module provides debugging functions.
 */
 #if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1800)
   #include <inttypes.h>
   #define MBEDTLS_PRINTF_SIZET     PRIuPTR
   #define MBEDTLS_PRINTF_LONGLONG  "I64d"
 #else /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1800) */
--- a/third_party/mbedtls/include/mbedtls/des.h
+++ b/third_party/mbedtls/include/mbedtls/des.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file des.h
 *
@ -28,13 +30,11 @@
 #define MBEDTLS_DES_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 #define MBEDTLS_DES_ENCRYPT     1
 #define MBEDTLS_DES_DECRYPT     0
@ -77,7 +77,7 @@ typedef struct mbedtls_des3_context
 mbedtls_des3_context;
 #else  /* MBEDTLS_DES_ALT */
-#include "des_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/des_alt.h" */
 #endif /* MBEDTLS_DES_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/dhm.h
+++ b/third_party/mbedtls/include/mbedtls/dhm.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file dhm.h
 *
@ -64,11 +66,11 @@
 #define MBEDTLS_DHM_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
 /*
 * DHM Error codes
@ -114,7 +116,7 @@ typedef struct mbedtls_dhm_context
 mbedtls_dhm_context;
 #else /* MBEDTLS_DHM_ALT */
-#include "dhm_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/dhm_alt.h" */
 #endif /* MBEDTLS_DHM_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/ecdh.h
+++ b/third_party/mbedtls/include/mbedtls/ecdh.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ecdh.h
 *
@ -33,16 +35,16 @@
 #define MBEDTLS_ECDH_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
 #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
 #undef MBEDTLS_ECDH_LEGACY_CONTEXT
-#include "everest/everest.h"
+/* #include "everest/everest.h" */
 #endif
 #ifdef __cplusplus
--- a/third_party/mbedtls/include/mbedtls/ecdsa.h
+++ b/third_party/mbedtls/include/mbedtls/ecdsa.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ecdsa.h
 *
@ -31,13 +33,13 @@
 #define MBEDTLS_ECDSA_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 /**
 * \brief           Maximum ECDSA signature size for a given curve bit size
--- a/third_party/mbedtls/include/mbedtls/ecjpake.h
+++ b/third_party/mbedtls/include/mbedtls/ecjpake.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ecjpake.h
 *
@ -39,13 +41,13 @@
 * also be use outside TLS.
 */
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #ifdef __cplusplus
 extern "C" {
@ -91,7 +93,7 @@ typedef struct mbedtls_ecjpake_context
 } mbedtls_ecjpake_context;
 #else  /* MBEDTLS_ECJPAKE_ALT */
-#include "ecjpake_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/ecjpake_alt.h" */
 #endif /* MBEDTLS_ECJPAKE_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/ecp.h
+++ b/third_party/mbedtls/include/mbedtls/ecp.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ecp.h
 *
@ -35,12 +37,12 @@
 #define MBEDTLS_ECP_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
 /*
 * ECP error codes
@ -296,7 +298,7 @@ mbedtls_ecp_group;
 /* \} name SECTION: Module settings */
 #else  /* MBEDTLS_ECP_ALT */
-#include "ecp_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/ecp_alt.h" */
 #endif /* MBEDTLS_ECP_ALT */
 #if defined(MBEDTLS_ECP_RESTARTABLE)
--- a/third_party/mbedtls/include/mbedtls/ecp_internal.h
+++ b/third_party/mbedtls/include/mbedtls/ecp_internal.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ecp_internal.h
 *
@ -60,7 +62,7 @@
 #define MBEDTLS_ECP_INTERNAL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
--- a/third_party/mbedtls/include/mbedtls/entropy.h
+++ b/third_party/mbedtls/include/mbedtls/entropy.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file entropy.h
 *
@ -23,29 +25,28 @@
 #define MBEDTLS_ENTROPY_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
-#include "mbedtls/sha512.h"
+#include "third_party/mbedtls/include/mbedtls/sha512.h"
 #define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
 #else
 #if defined(MBEDTLS_SHA256_C)
 #define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
-#include "mbedtls/sha256.h"
+#include "third_party/mbedtls/include/mbedtls/sha256.h"
 #endif
 #endif
 #if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
 #endif
 #if defined(MBEDTLS_HAVEGE_C)
-#include "mbedtls/havege.h"
+#include "third_party/mbedtls/include/mbedtls/havege.h"
 #endif
 #define MBEDTLS_ERR_ENTROPY_SOURCE_FAILED                 -0x003C  /**< Critical entropy source failure. */
--- a/third_party/mbedtls/include/mbedtls/entropy_poll.h
+++ b/third_party/mbedtls/include/mbedtls/entropy_poll.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file entropy_poll.h
 *
@ -23,12 +25,11 @@
 #define MBEDTLS_ENTROPY_POLL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/include/mbedtls/error.h
+++ b/third_party/mbedtls/include/mbedtls/error.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file error.h
 *
@ -23,12 +25,11 @@
 #define MBEDTLS_ERROR_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 /**
 * Error code layout.
--- a/third_party/mbedtls/include/mbedtls/gcm.h
+++ b/third_party/mbedtls/include/mbedtls/gcm.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file gcm.h
 *
@ -32,14 +34,13 @@
 #define MBEDTLS_GCM_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #include <stdint.h>
 #define MBEDTLS_GCM_ENCRYPT     1
 #define MBEDTLS_GCM_DECRYPT     0
@ -77,7 +78,7 @@ typedef struct mbedtls_gcm_context
 mbedtls_gcm_context;
 #else  /* !MBEDTLS_GCM_ALT */
-#include "gcm_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/gcm_alt.h" */
 #endif /* !MBEDTLS_GCM_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/havege.h
+++ b/third_party/mbedtls/include/mbedtls/havege.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file havege.h
 *
@ -23,13 +25,11 @@
 #define MBEDTLS_HAVEGE_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 #define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
--- a/third_party/mbedtls/include/mbedtls/hkdf.h
+++ b/third_party/mbedtls/include/mbedtls/hkdf.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file hkdf.h
 *
@ -26,12 +28,12 @@
 #define MBEDTLS_HKDF_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 /**
 *  \name HKDF Error codes
--- a/third_party/mbedtls/include/mbedtls/hmac_drbg.h
+++ b/third_party/mbedtls/include/mbedtls/hmac_drbg.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file hmac_drbg.h
 *
@ -27,15 +29,15 @@
 #define MBEDTLS_HMAC_DRBG_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
 #endif
 /*
--- a/third_party/mbedtls/include/mbedtls/md.h
+++ b/third_party/mbedtls/include/mbedtls/md.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file md.h
 *
@ -25,10 +27,9 @@
 #ifndef MBEDTLS_MD_H
 #define MBEDTLS_MD_H
 #include <stddef.h>
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
--- a/third_party/mbedtls/include/mbedtls/md2.h
+++ b/third_party/mbedtls/include/mbedtls/md2.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file md2.h
 *
@ -28,12 +30,11 @@
 #define MBEDTLS_MD2_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 /* MBEDTLS_ERR_MD2_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED                   -0x002B  /**< MD2 hardware accelerator failed */
@ -64,7 +65,7 @@ typedef struct mbedtls_md2_context
 mbedtls_md2_context;
 #else  /* MBEDTLS_MD2_ALT */
-#include "md2_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/md2_alt.h" */
 #endif /* MBEDTLS_MD2_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/md4.h
+++ b/third_party/mbedtls/include/mbedtls/md4.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file md4.h
 *
@ -28,13 +30,11 @@
 #define MBEDTLS_MD4_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 /* MBEDTLS_ERR_MD4_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED                   -0x002D  /**< MD4 hardware accelerator failed */
@ -64,7 +64,7 @@ typedef struct mbedtls_md4_context
 mbedtls_md4_context;
 #else  /* MBEDTLS_MD4_ALT */
-#include "md4_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/md4_alt.h" */
 #endif /* MBEDTLS_MD4_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/md5.h
+++ b/third_party/mbedtls/include/mbedtls/md5.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file md5.h
 *
@ -27,13 +29,11 @@
 #define MBEDTLS_MD5_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 /* MBEDTLS_ERR_MD5_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED                   -0x002F  /**< MD5 hardware accelerator failed */
@ -63,7 +63,7 @@ typedef struct mbedtls_md5_context
 mbedtls_md5_context;
 #else  /* MBEDTLS_MD5_ALT */
-#include "md5_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/md5_alt.h" */
 #endif /* MBEDTLS_MD5_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/md_internal.h
+++ b/third_party/mbedtls/include/mbedtls/md_internal.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file md_internal.h
 *
@ -27,12 +29,12 @@
 #define MBEDTLS_MD_WRAP_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/include/mbedtls/memory_buffer_alloc.h
+++ b/third_party/mbedtls/include/mbedtls/memory_buffer_alloc.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file memory_buffer_alloc.h
 *
@ -23,12 +25,11 @@
 #define MBEDTLS_MEMORY_BUFFER_ALLOC_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 /**
 * \name SECTION: Module settings
--- a/third_party/mbedtls/include/mbedtls/net.h
+++ b/third_party/mbedtls/include/mbedtls/net.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file net.h
 *
@ -22,13 +24,13 @@
 *  limitations under the License.
 */
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#include "mbedtls/net_sockets.h"
+#include "third_party/mbedtls/include/mbedtls/net_sockets.h"
 #if defined(MBEDTLS_DEPRECATED_WARNING)
 #warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
 #endif /* MBEDTLS_DEPRECATED_WARNING */
--- a/third_party/mbedtls/include/mbedtls/net_sockets.h
+++ b/third_party/mbedtls/include/mbedtls/net_sockets.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file net_sockets.h
 *
@ -39,15 +41,13 @@
 #define MBEDTLS_NET_SOCKETS_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
 #include <stddef.h>
 #include <stdint.h>
 #define MBEDTLS_ERR_NET_SOCKET_FAILED                     -0x0042  /**< Failed to open a socket. */
 #define MBEDTLS_ERR_NET_CONNECT_FAILED                    -0x0044  /**< The connection to the given server / port failed. */
--- a/third_party/mbedtls/include/mbedtls/nist_kw.h
+++ b/third_party/mbedtls/include/mbedtls/nist_kw.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file nist_kw.h
 *
@ -36,12 +38,12 @@
 #define MBEDTLS_NIST_KW_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #ifdef __cplusplus
 extern "C" {
@ -69,7 +71,7 @@ typedef struct {
 } mbedtls_nist_kw_context;
 #else  /* MBEDTLS_NIST_key wrapping_ALT */
-#include "nist_kw_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/nist_kw_alt.h" */
 #endif /* MBEDTLS_NIST_KW_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/oid.h
+++ b/third_party/mbedtls/include/mbedtls/oid.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file oid.h
 *
@ -23,22 +25,21 @@
 #define MBEDTLS_OID_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
-#include "mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
 #include <stddef.h>
 #if defined(MBEDTLS_CIPHER_C)
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #endif
 #if defined(MBEDTLS_MD_C)
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #endif
 #define MBEDTLS_ERR_OID_NOT_FOUND                         -0x002E  /**< OID is not found. */
--- a/third_party/mbedtls/include/mbedtls/padlock.h
+++ b/third_party/mbedtls/include/mbedtls/padlock.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file padlock.h
 *
@ -27,12 +29,12 @@
 #define MBEDTLS_PADLOCK_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
 #define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
@ -50,7 +52,6 @@
 #define MBEDTLS_HAVE_X86
 #endif
 #include <stdint.h>
 #define MBEDTLS_PADLOCK_RNG 0x000C
 #define MBEDTLS_PADLOCK_ACE 0x00C0
--- a/third_party/mbedtls/include/mbedtls/pem.h
+++ b/third_party/mbedtls/include/mbedtls/pem.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file pem.h
 *
@ -23,12 +25,11 @@
 #define MBEDTLS_PEM_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 /**
 * \name PEM Error codes
--- a/third_party/mbedtls/include/mbedtls/pk.h
+++ b/third_party/mbedtls/include/mbedtls/pk.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file pk.h
 *
@ -24,27 +26,27 @@
 #define MBEDTLS_PK_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
 #endif
 #if defined(MBEDTLS_ECP_C)
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
 #endif
 #if defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdsa.h"
+#include "third_party/mbedtls/include/mbedtls/ecdsa.h"
 #endif
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
 #endif
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
--- a/third_party/mbedtls/include/mbedtls/pk_internal.h
+++ b/third_party/mbedtls/include/mbedtls/pk_internal.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file pk_internal.h
 *
@ -24,12 +26,12 @@
 #define MBEDTLS_PK_WRAP_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
 struct mbedtls_pk_info_t
 {
--- a/third_party/mbedtls/include/mbedtls/pkcs11.h
+++ b/third_party/mbedtls/include/mbedtls/pkcs11.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file pkcs11.h
 *
@ -25,14 +27,14 @@
 #define MBEDTLS_PKCS11_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #if defined(MBEDTLS_PKCS11_C)
-#include "mbedtls/x509_crt.h"
+#include "third_party/mbedtls/include/mbedtls/x509_crt.h"
 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
--- a/third_party/mbedtls/include/mbedtls/pkcs12.h
+++ b/third_party/mbedtls/include/mbedtls/pkcs12.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file pkcs12.h
 *
@ -23,16 +25,15 @@
 #define MBEDTLS_PKCS12_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
-#include "mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
 #include <stddef.h>
 #define MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA                 -0x1F80  /**< Bad input parameters to function. */
 #define MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE            -0x1F00  /**< Feature not available, e.g. unsupported encryption scheme. */
--- a/third_party/mbedtls/include/mbedtls/pkcs5.h
+++ b/third_party/mbedtls/include/mbedtls/pkcs5.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file pkcs5.h
 *
@ -25,16 +27,14 @@
 #define MBEDTLS_PKCS5_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #include <stddef.h>
 #include <stdint.h>
 #define MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA                  -0x2f80  /**< Bad input parameters to function. */
 #define MBEDTLS_ERR_PKCS5_INVALID_FORMAT                  -0x2f00  /**< Unexpected ASN.1 data. */
--- a/third_party/mbedtls/include/mbedtls/platform.h
+++ b/third_party/mbedtls/include/mbedtls/platform.h
@ -1,3 +1,4 @@
 /* clang-format off */
 /**
 * \file platform.h
 *
@ -30,15 +31,17 @@
 */
 #ifndef MBEDTLS_PLATFORM_H
 #define MBEDTLS_PLATFORM_H
 #include "libc/fmt/fmt.h"
 #include "libc/stdio/stdio.h"
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
+#include "third_party/mbedtls/include/mbedtls/platform_time.h"
 #endif
 #define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070 /**< Hardware accelerator failed */
@ -66,9 +69,6 @@ extern "C" {
 #endif
 #if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
 #if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
 #define MBEDTLS_PLATFORM_STD_SNPRINTF   mbedtls_platform_win32_snprintf /**< The default \c snprintf function to use.  */
@ -137,7 +137,6 @@ extern "C" {
 #define mbedtls_calloc     MBEDTLS_PLATFORM_CALLOC_MACRO
 #else
 /* For size_t */
 #include <stddef.h>
 extern void *mbedtls_calloc( size_t n, size_t size );
 extern void mbedtls_free( void *ptr );
@ -163,7 +162,6 @@ int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
 */
 #if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
 /* We need FILE * */
 #include <stdio.h>
 extern int (*mbedtls_fprintf)( FILE *stream, const char *format, ... );
 /**
@ -254,13 +252,11 @@ int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
 *   the destination buffer is too short.
 */
 #if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
 #include <stdarg.h>
 /* For Older Windows (inc. MSYS2), we provide our own fixed implementation */
 int mbedtls_platform_win32_vsnprintf( char *s, size_t n, const char *fmt, va_list arg );
 #endif
 #if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
 #include <stdarg.h>
 extern int (*mbedtls_vsnprintf)( char * s, size_t n, const char * format, va_list arg );
 /**
@ -375,7 +371,7 @@ typedef struct mbedtls_platform_context
 mbedtls_platform_context;
 #else
-#include "platform_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/platform_alt.h" */
 #endif /* !MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/platform_time.h
+++ b/third_party/mbedtls/include/mbedtls/platform_time.h
@ -1,3 +1,4 @@
 /* clang-format off */
 /**
 * \file platform_time.h
 *
@ -21,9 +22,11 @@
 */
 #ifndef MBEDTLS_PLATFORM_TIME_H
 #define MBEDTLS_PLATFORM_TIME_H
 #include "libc/time/time.h"
 #include "libc/calls/weirdtypes.h"
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@ -47,7 +50,6 @@ extern "C" {
 typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t;
 #else
 /* For time_t */
 #include <time.h>
 typedef time_t mbedtls_time_t;
 #endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
--- a/third_party/mbedtls/include/mbedtls/platform_util.h
+++ b/third_party/mbedtls/include/mbedtls/platform_util.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file platform_util.h
 *
@ -24,15 +26,13 @@
 #define MBEDTLS_PLATFORM_UTIL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #if defined(MBEDTLS_HAVE_TIME_DATE)
-#include "mbedtls/platform_time.h"
+#include "third_party/mbedtls/include/mbedtls/platform_time.h"
 #include <time.h>
 #endif /* MBEDTLS_HAVE_TIME_DATE */
 #ifdef __cplusplus
@ -44,7 +44,6 @@ extern "C" {
 #if defined(MBEDTLS_CHECK_PARAMS_ASSERT)
 /* Allow the user to define MBEDTLS_PARAM_FAILED to something like assert
 * (which is what our config.h suggests). */
 #include <assert.h>
 #endif /* MBEDTLS_CHECK_PARAMS_ASSERT */
 #if defined(MBEDTLS_PARAM_FAILED)
--- a/third_party/mbedtls/include/mbedtls/poly1305.h
+++ b/third_party/mbedtls/include/mbedtls/poly1305.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file poly1305.h
 *
@ -33,13 +35,11 @@
 #define MBEDTLS_POLY1305_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stdint.h>
 #include <stddef.h>
 #define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA         -0x0057 /**< Invalid input parameter(s). */
@ -68,7 +68,7 @@ typedef struct mbedtls_poly1305_context
 mbedtls_poly1305_context;
 #else  /* MBEDTLS_POLY1305_ALT */
-#include "poly1305_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/poly1305_alt.h" */
 #endif /* MBEDTLS_POLY1305_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/psa_util.h
+++ b/third_party/mbedtls/include/mbedtls/psa_util.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file psa_util.h
 *
@ -27,21 +29,19 @@
 #define MBEDTLS_PSA_UTIL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
-#include "mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
-#include "mbedtls/oid.h"
+#include "third_party/mbedtls/include/mbedtls/oid.h"
 #include <string.h>
 /* Translations for symmetric crypto. */
@ -489,11 +489,11 @@ int mbedtls_psa_get_random( void *p_rng,
 #else /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
 #if defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/ctr_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/ctr_drbg.h"
 typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t;
 static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_ctr_drbg_random;
 #elif defined(MBEDTLS_HMAC_DRBG_C)
-#include "mbedtls/hmac_drbg.h"
+#include "third_party/mbedtls/include/mbedtls/hmac_drbg.h"
 typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t;
 static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_hmac_drbg_random;
 #endif
--- a/third_party/mbedtls/include/mbedtls/ripemd160.h
+++ b/third_party/mbedtls/include/mbedtls/ripemd160.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ripemd160.h
 *
@ -23,13 +25,11 @@
 #define MBEDTLS_RIPEMD160_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 /* MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED is deprecated and should not be used.
 */
@ -55,7 +55,7 @@ typedef struct mbedtls_ripemd160_context
 mbedtls_ripemd160_context;
 #else  /* MBEDTLS_RIPEMD160_ALT */
-#include "ripemd160_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/ripemd160_alt.h" */
 #endif /* MBEDTLS_RIPEMD160_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/rsa.h
+++ b/third_party/mbedtls/include/mbedtls/rsa.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file rsa.h
 *
@ -29,16 +31,16 @@
 #define MBEDTLS_RSA_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
 #endif
 /*
@ -137,7 +139,7 @@ typedef struct mbedtls_rsa_context
 mbedtls_rsa_context;
 #else  /* MBEDTLS_RSA_ALT */
-#include "rsa_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/rsa_alt.h" */
 #endif /* MBEDTLS_RSA_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/rsa_internal.h
+++ b/third_party/mbedtls/include/mbedtls/rsa_internal.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file rsa_internal.h
 *
@ -56,12 +58,12 @@
 #define MBEDTLS_RSA_INTERNAL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/include/mbedtls/sha1.h
+++ b/third_party/mbedtls/include/mbedtls/sha1.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file sha1.h
 *
@ -30,13 +32,11 @@
 #define MBEDTLS_SHA1_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 /* MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED                  -0x0035  /**< SHA-1 hardware accelerator failed */
@ -67,7 +67,7 @@ typedef struct mbedtls_sha1_context
 mbedtls_sha1_context;
 #else  /* MBEDTLS_SHA1_ALT */
-#include "sha1_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/sha1_alt.h" */
 #endif /* MBEDTLS_SHA1_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/sha256.h
+++ b/third_party/mbedtls/include/mbedtls/sha256.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file sha256.h
 *
@ -26,13 +28,11 @@
 #define MBEDTLS_SHA256_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 /* MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED                -0x0037  /**< SHA-256 hardware accelerator failed */
@ -64,7 +64,7 @@ typedef struct mbedtls_sha256_context
 mbedtls_sha256_context;
 #else  /* MBEDTLS_SHA256_ALT */
-#include "sha256_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/sha256_alt.h" */
 #endif /* MBEDTLS_SHA256_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/sha512.h
+++ b/third_party/mbedtls/include/mbedtls/sha512.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file sha512.h
 * \brief This file contains SHA-384 and SHA-512 definitions and functions.
@ -25,13 +27,11 @@
 #define MBEDTLS_SHA512_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 /* MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED                -0x0039  /**< SHA-512 hardware accelerator failed */
@ -65,7 +65,7 @@ typedef struct mbedtls_sha512_context
 mbedtls_sha512_context;
 #else  /* MBEDTLS_SHA512_ALT */
-#include "sha512_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/sha512_alt.h" */
 #endif /* MBEDTLS_SHA512_ALT */
 /**
--- a/third_party/mbedtls/include/mbedtls/ssl.h
+++ b/third_party/mbedtls/include/mbedtls/ssl.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ssl.h
 *
@ -23,23 +25,23 @@
 #define MBEDTLS_SSL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
-#include "mbedtls/ecp.h"
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
-#include "mbedtls/ssl_ciphersuites.h"
+#include "third_party/mbedtls/include/mbedtls/ssl_ciphersuites.h"
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
-#include "mbedtls/x509_crt.h"
+#include "third_party/mbedtls/include/mbedtls/x509_crt.h"
-#include "mbedtls/x509_crl.h"
+#include "third_party/mbedtls/include/mbedtls/x509_crl.h"
 #endif
 #if defined(MBEDTLS_DHM_C)
-#include "mbedtls/dhm.h"
+#include "third_party/mbedtls/include/mbedtls/dhm.h"
 #endif
 /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
@ -48,7 +50,7 @@
 * MBEDTLS_ECDSA_C which does not seem correct.
 */
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
-#include "mbedtls/ecdh.h"
+#include "third_party/mbedtls/include/mbedtls/ecdh.h"
 #endif
 #if defined(MBEDTLS_ZLIB_SUPPORT)
@ -61,15 +63,15 @@
 #error "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and cannot be used if MBEDTLS_DEPRECATED_REMOVED is set"
 #endif
-#include "zlib.h"
+#include "third_party/zlib/zlib.h"
 #endif
 #if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
+#include "third_party/mbedtls/include/mbedtls/platform_time.h"
 #endif
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 /*
--- a/third_party/mbedtls/include/mbedtls/ssl_cache.h
+++ b/third_party/mbedtls/include/mbedtls/ssl_cache.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ssl_cache.h
 *
@ -23,15 +25,15 @@
 #define MBEDTLS_SSL_CACHE_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
 #if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
 #endif
 /**
--- a/third_party/mbedtls/include/mbedtls/ssl_ciphersuites.h
+++ b/third_party/mbedtls/include/mbedtls/ssl_ciphersuites.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ssl_ciphersuites.h
 *
@ -23,14 +25,14 @@
 #define MBEDTLS_SSL_CIPHERSUITES_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
-#include "mbedtls/md.h"
+#include "third_party/mbedtls/include/mbedtls/md.h"
 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/include/mbedtls/ssl_cookie.h
+++ b/third_party/mbedtls/include/mbedtls/ssl_cookie.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ssl_cookie.h
 *
@ -23,15 +25,15 @@
 #define MBEDTLS_SSL_COOKIE_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
 #if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
 #endif
 /**
--- a/third_party/mbedtls/include/mbedtls/ssl_internal.h
+++ b/third_party/mbedtls/include/mbedtls/ssl_internal.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ssl_internal.h
 *
@ -23,41 +25,41 @@
 #define MBEDTLS_SSL_INTERNAL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
 #endif
 #if defined(MBEDTLS_MD5_C)
-#include "mbedtls/md5.h"
+#include "third_party/mbedtls/include/mbedtls/md5.h"
 #endif
 #if defined(MBEDTLS_SHA1_C)
-#include "mbedtls/sha1.h"
+#include "third_party/mbedtls/include/mbedtls/sha1.h"
 #endif
 #if defined(MBEDTLS_SHA256_C)
-#include "mbedtls/sha256.h"
+#include "third_party/mbedtls/include/mbedtls/sha256.h"
 #endif
 #if defined(MBEDTLS_SHA512_C)
-#include "mbedtls/sha512.h"
+#include "third_party/mbedtls/include/mbedtls/sha512.h"
 #endif
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#include "mbedtls/ecjpake.h"
+#include "third_party/mbedtls/include/mbedtls/ecjpake.h"
 #endif
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
+#include "third_party/mbedtls/include/psa/crypto.h"
-#include "mbedtls/psa_util.h"
+#include "third_party/mbedtls/include/mbedtls/psa_util.h"
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
--- a/third_party/mbedtls/include/mbedtls/ssl_ticket.h
+++ b/third_party/mbedtls/include/mbedtls/ssl_ticket.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file ssl_ticket.h
 *
@ -23,7 +25,7 @@
 #define MBEDTLS_SSL_TICKET_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
@ -34,11 +36,11 @@
 * secrecy, when MBEDTLS_HAVE_TIME is defined.
 */
-#include "mbedtls/ssl.h"
+#include "third_party/mbedtls/include/mbedtls/ssl.h"
-#include "mbedtls/cipher.h"
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "third_party/mbedtls/include/mbedtls/threading.h"
 #endif
 #ifdef __cplusplus
--- a/third_party/mbedtls/include/mbedtls/threading.h
+++ b/third_party/mbedtls/include/mbedtls/threading.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file threading.h
 *
@ -23,13 +25,11 @@
 #define MBEDTLS_THREADING_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stdlib.h>
 #ifdef __cplusplus
 extern "C" {
 #endif
@ -42,7 +42,6 @@ extern "C" {
 #define MBEDTLS_ERR_THREADING_MUTEX_ERROR                 -0x001E  /**< Locking / unlocking / free failed with error code. */
 #if defined(MBEDTLS_THREADING_PTHREAD)
 #include <pthread.h>
 typedef struct mbedtls_threading_mutex_t
 {
    pthread_mutex_t mutex;
@ -55,7 +54,7 @@ typedef struct mbedtls_threading_mutex_t
 #if defined(MBEDTLS_THREADING_ALT)
 /* You should define the mbedtls_threading_mutex_t type in your header */
-#include "threading_alt.h"
+/* #include "threading_alt.h" */
 /**
 * \brief           Set your alternate threading implementation function
--- a/third_party/mbedtls/include/mbedtls/timing.h
+++ b/third_party/mbedtls/include/mbedtls/timing.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file timing.h
 *
@ -23,12 +25,11 @@
 #define MBEDTLS_TIMING_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stdint.h>
 #ifdef __cplusplus
 extern "C" {
@ -57,7 +58,7 @@ typedef struct mbedtls_timing_delay_context
 } mbedtls_timing_delay_context;
 #else  /* MBEDTLS_TIMING_ALT */
-#include "timing_alt.h"
+/* #include "timing_alt.h" */
 #endif /* MBEDTLS_TIMING_ALT */
 extern volatile int mbedtls_timing_alarmed;
--- a/third_party/mbedtls/include/mbedtls/version.h
+++ b/third_party/mbedtls/include/mbedtls/version.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file version.h
 *
@ -27,7 +29,7 @@
 #define MBEDTLS_VERSION_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
--- a/third_party/mbedtls/include/mbedtls/x509.h
+++ b/third_party/mbedtls/include/mbedtls/x509.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file x509.h
 *
@ -23,16 +25,16 @@
 #define MBEDTLS_X509_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/asn1.h"
+#include "third_party/mbedtls/include/mbedtls/asn1.h"
-#include "mbedtls/pk.h"
+#include "third_party/mbedtls/include/mbedtls/pk.h"
 #if defined(MBEDTLS_RSA_C)
-#include "mbedtls/rsa.h"
+#include "third_party/mbedtls/include/mbedtls/rsa.h"
 #endif
 /**
--- a/third_party/mbedtls/include/mbedtls/x509_crl.h
+++ b/third_party/mbedtls/include/mbedtls/x509_crl.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file x509_crl.h
 *
@ -23,12 +25,12 @@
 #define MBEDTLS_X509_CRL_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/x509.h"
+#include "third_party/mbedtls/include/mbedtls/x509.h"
 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/include/mbedtls/x509_crt.h
+++ b/third_party/mbedtls/include/mbedtls/x509_crt.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file x509_crt.h
 *
@ -23,14 +25,14 @@
 #define MBEDTLS_X509_CRT_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/x509.h"
+#include "third_party/mbedtls/include/mbedtls/x509.h"
-#include "mbedtls/x509_crl.h"
+#include "third_party/mbedtls/include/mbedtls/x509_crl.h"
-#include "mbedtls/bignum.h"
+#include "third_party/mbedtls/include/mbedtls/bignum.h"
 /**
 * \addtogroup x509_module
--- a/third_party/mbedtls/include/mbedtls/x509_csr.h
+++ b/third_party/mbedtls/include/mbedtls/x509_csr.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file x509_csr.h
 *
@ -23,12 +25,12 @@
 #define MBEDTLS_X509_CSR_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
-#include "mbedtls/x509.h"
+#include "third_party/mbedtls/include/mbedtls/x509.h"
 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/include/mbedtls/xtea.h
+++ b/third_party/mbedtls/include/mbedtls/xtea.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file xtea.h
 *
@ -23,13 +25,11 @@
 #define MBEDTLS_XTEA_H
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include <stddef.h>
 #include <stdint.h>
 #define MBEDTLS_XTEA_ENCRYPT     1
 #define MBEDTLS_XTEA_DECRYPT     0
@ -57,7 +57,7 @@ typedef struct mbedtls_xtea_context
 mbedtls_xtea_context;
 #else  /* MBEDTLS_XTEA_ALT */
-#include "xtea_alt.h"
+/* #include "third_party/mbedtls/include/mbedtls/xtea_alt.h" */
 #endif /* MBEDTLS_XTEA_ALT */
 /**
--- a/third_party/mbedtls/include/psa/crypto.h
+++ b/third_party/mbedtls/include/psa/crypto.h
@ -1,3 +1,4 @@
 /* clang-format off */
 /**
 * \file psa/crypto.h
 * \brief Platform Security Architecture cryptography module
@ -18,13 +19,9 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
 #ifndef PSA_CRYPTO_H
 #define PSA_CRYPTO_H
-
+#include "third_party/mbedtls/include/psa/crypto_platform.h"
 #include "crypto_platform.h"
 #include <stddef.h>
 #ifdef __DOXYGEN_ONLY__
 /* This __DOXYGEN_ONLY__ block contains mock definitions for things that
@ -45,7 +42,7 @@ extern "C" {
 /* The file "crypto_types.h" declares types that encode errors,
 * algorithms, key types, policies, etc. */
-#include "crypto_types.h"
+#include "third_party/mbedtls/include/psa/crypto_types.h"
 /** \defgroup version API version
 * @{
@ -65,7 +62,7 @@ extern "C" {
 /* The file "crypto_values.h" declares macros to build and analyze values
 * of integral types defined in "crypto_types.h". */
-#include "crypto_values.h"
+#include "third_party/mbedtls/include/psa/crypto_values.h"
 /** \defgroup initialization Library initialization
 * @{
@ -3764,14 +3761,14 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
 /* The file "crypto_sizes.h" contains definitions for size calculation
 * macros whose definitions are implementation-specific. */
-#include "crypto_sizes.h"
+#include "third_party/mbedtls/include/psa/crypto_sizes.h"
 /* The file "crypto_struct.h" contains definitions for
 * implementation-specific structs that are declared above. */
-#include "crypto_struct.h"
+#include "third_party/mbedtls/include/psa/crypto_struct.h"
 /* The file "crypto_extra.h" contains vendor-specific definitions. This
 * can include vendor-defined algorithms, extra functions, etc. */
-#include "crypto_extra.h"
+#include "third_party/mbedtls/include/psa/crypto_extra.h"
 #endif /* PSA_CRYPTO_H */
--- a/third_party/mbedtls/include/psa/crypto_compat.h
+++ b/third_party/mbedtls/include/psa/crypto_compat.h
@ -1,3 +1,4 @@
 /* clang-format off */
 /**
 * \file psa/crypto_compat.h
 *
@ -26,9 +27,10 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
 #ifndef PSA_CRYPTO_COMPAT_H
 #define PSA_CRYPTO_COMPAT_H
 #include "third_party/mbedtls/include/psa/crypto_values.h"
 #include "third_party/mbedtls/include/psa/crypto_types.h"
 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/include/psa/crypto_config.h
+++ b/third_party/mbedtls/include/psa/crypto_config.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file psa/crypto_config.h
 * \brief PSA crypto configuration options (set of defines)
--- a/third_party/mbedtls/include/psa/crypto_driver_common.h
+++ b/third_party/mbedtls/include/psa/crypto_driver_common.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file psa/crypto_driver_common.h
 * \brief Definitions for all PSA crypto drivers
@ -34,14 +36,11 @@
 #ifndef PSA_CRYPTO_DRIVER_COMMON_H
 #define PSA_CRYPTO_DRIVER_COMMON_H
 #include <stddef.h>
 #include <stdint.h>
 /* Include type definitions (psa_status_t, psa_algorithm_t,
 * psa_key_type_t, etc.) and macros to build and analyze values
 * of these types. */
-#include "crypto_types.h"
+#include "third_party/mbedtls/include/psa/crypto_types.h"
-#include "crypto_values.h"
+#include "third_party/mbedtls/include/psa/crypto_values.h"
 /** For encrypt-decrypt functions, whether the operation is an encryption
 * or a decryption. */
--- a/third_party/mbedtls/include/psa/crypto_extra.h
+++ b/third_party/mbedtls/include/psa/crypto_extra.h
@ -24,14 +24,13 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
 #ifndef PSA_CRYPTO_EXTRA_H
 #define PSA_CRYPTO_EXTRA_H
-
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/psa/crypto_compat.h"
-
+#include "third_party/mbedtls/include/psa/crypto_struct.h"
-#include "crypto_compat.h"
+#include "third_party/mbedtls/include/psa/crypto_types.h"
-
+/* clang-format off */
 #ifdef __cplusplus
 extern "C" {
 #endif
@ -569,7 +568,7 @@ psa_status_t psa_get_key_domain_parameters(
 */
 #if defined(MBEDTLS_ECP_C)
-#include <mbedtls/ecp.h>
+#include "third_party/mbedtls/include/mbedtls/ecp.h"
 /** Convert an ECC curve identifier from the Mbed TLS encoding to PSA.
 *
--- a/third_party/mbedtls/include/psa/crypto_platform.h
+++ b/third_party/mbedtls/include/psa/crypto_platform.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file psa/crypto_platform.h
 *
@ -29,24 +31,10 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
 #ifndef PSA_CRYPTO_PLATFORM_H
 #define PSA_CRYPTO_PLATFORM_H
-
+#include "third_party/mbedtls/include/mbedtls/config.h"
-/* Include the Mbed TLS configuration file, the way Mbed TLS does it
+#include "third_party/mbedtls/include/mbedtls/config_psa.h"
 * in each of its header files. */
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 /* Translate between classic MBEDTLS_xxx feature symbols and PSA_xxx
 * feature symbols. */
 #include "mbedtls/config_psa.h"
 /* PSA requires several types which C99 provides in stdint.h. */
 #include <stdint.h>
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
    !defined(inline) && !defined(__cplusplus)
--- a/third_party/mbedtls/include/psa/crypto_se_driver.h
+++ b/third_party/mbedtls/include/psa/crypto_se_driver.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file psa/crypto_se_driver.h
 * \brief PSA external cryptoprocessor driver module
@ -34,7 +36,7 @@
 #ifndef PSA_CRYPTO_SE_DRIVER_H
 #define PSA_CRYPTO_SE_DRIVER_H
-#include "crypto_driver_common.h"
+#include "third_party/mbedtls/include/psa/crypto_driver_common.h"
 #ifdef __cplusplus
 extern "C" {
--- a/third_party/mbedtls/include/psa/crypto_sizes.h
+++ b/third_party/mbedtls/include/psa/crypto_sizes.h
@ -1,3 +1,5 @@
 /* clang-format off */
 /**
 * \file psa/crypto_sizes.h
 *
@ -43,7 +45,7 @@
 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
 * in each of its header files. */
 #if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+#include "third_party/mbedtls/include/mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
--- a/third_party/mbedtls/include/psa/crypto_struct.h
+++ b/third_party/mbedtls/include/psa/crypto_struct.h
@ -49,34 +49,28 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
 #ifndef PSA_CRYPTO_STRUCT_H
 #define PSA_CRYPTO_STRUCT_H
-
+#include "third_party/mbedtls/include/mbedtls/cipher.h"
 #include "third_party/mbedtls/include/mbedtls/cmac.h"
 #include "third_party/mbedtls/include/mbedtls/config.h"
 #include "third_party/mbedtls/include/mbedtls/gcm.h"
 #include "third_party/mbedtls/include/mbedtls/md.h"
 #include "third_party/mbedtls/include/mbedtls/md2.h"
 #include "third_party/mbedtls/include/mbedtls/md4.h"
 #include "third_party/mbedtls/include/mbedtls/md5.h"
 #include "third_party/mbedtls/include/mbedtls/ripemd160.h"
 #include "third_party/mbedtls/include/mbedtls/sha1.h"
 #include "third_party/mbedtls/include/mbedtls/sha256.h"
 #include "third_party/mbedtls/include/mbedtls/sha512.h"
 #include "third_party/mbedtls/include/psa/crypto_sizes.h"
 #include "third_party/mbedtls/include/psa/crypto_types.h"
 #include "third_party/mbedtls/include/psa/crypto_values.h"
 /* clang-format off */
 #ifdef __cplusplus
 extern "C" {
 #endif
 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
 * in each of its header files. */
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "mbedtls/cipher.h"
 #include "mbedtls/cmac.h"
 #include "mbedtls/gcm.h"
 #include "mbedtls/md.h"
 #include "mbedtls/md2.h"
 #include "mbedtls/md4.h"
 #include "mbedtls/md5.h"
 #include "mbedtls/ripemd160.h"
 #include "mbedtls/sha1.h"
 #include "mbedtls/sha256.h"
 #include "mbedtls/sha512.h"
 typedef struct {
    /** Unique ID indicating which driver got assigned to do the
     * operation. Since driver contexts are driver-specific, swapping
@ -445,31 +439,6 @@ static inline psa_algorithm_t psa_get_key_algorithm(
    return( attributes->core.policy.alg );
 }
 /* This function is declared in crypto_extra.h, which comes after this
 * header file, but we need the function here, so repeat the declaration. */
 psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
                                           psa_key_type_t type,
                                           const uint8_t *data,
                                           size_t data_length);
 static inline void psa_set_key_type(psa_key_attributes_t *attributes,
                                    psa_key_type_t type)
 {
    if( attributes->domain_parameters == NULL )
    {
        /* Common case: quick path */
        attributes->core.type = type;
    }
    else
    {
        /* Call the bigger function to free the old domain paramteres.
         * Ignore any errors which may arise due to type requiring
         * non-default domain parameters, since this function can't
         * report errors. */
        (void) psa_set_key_domain_parameters( attributes, type, NULL, 0 );
    }
 }
 static inline psa_key_type_t psa_get_key_type(
    const psa_key_attributes_t *attributes)
 {
--- a/third_party/mbedtls/include/psa/crypto_types.h
+++ b/third_party/mbedtls/include/psa/crypto_types.h
@ -1,3 +1,4 @@
 /* clang-format off */
 /**
 * \file psa/crypto_types.h
 *
@ -29,11 +30,9 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
 #ifndef PSA_CRYPTO_TYPES_H
 #define PSA_CRYPTO_TYPES_H
-
+#include "third_party/mbedtls/include/psa/crypto_platform.h"
 #include "crypto_platform.h"
 /* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
 * is defined as well to include all PSA code.
@ -42,8 +41,6 @@
 #define MBEDTLS_PSA_CRYPTO_CLIENT
 #endif /* MBEDTLS_PSA_CRYPTO_C */
 #include <stdint.h>
 /** \defgroup error Error codes
 * @{
 */
--- a/third_party/mbedtls/include/psa/crypto_values.h
+++ b/third_party/mbedtls/include/psa/crypto_values.h
@ -1,3 +1,4 @@
 /* clang-format off */
 /**
 * \file psa/crypto_values.h
 *
@ -30,9 +31,9 @@
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
 #ifndef PSA_CRYPTO_VALUES_H
 #define PSA_CRYPTO_VALUES_H
 #include "third_party/mbedtls/include/psa/crypto_types.h"
 /** \defgroup error Error codes
 * @{
--- a/third_party/mbedtls/include/psa/sheesh.h
+++ b/third_party/mbedtls/include/psa/sheesh.h
@ -0,0 +1,18 @@
 #ifndef COSMOPOLITAN_THIRD_PARTY_MBEDTLS_INCLUDE_PSA_SHEESH_H_
 #define COSMOPOLITAN_THIRD_PARTY_MBEDTLS_INCLUDE_PSA_SHEESH_H_
 #include "third_party/mbedtls/include/psa/crypto_extra.h"
 #if !(__ASSEMBLER__ + __LINKER__ + 0)
 COSMOPOLITAN_C_START_
 static inline void psa_set_key_type(psa_key_attributes_t *attributes,
                                    psa_key_type_t type) {
  if (!attributes->domain_parameters) {
    attributes->core.type = type;
  } else {
    psa_set_key_domain_parameters(attributes, type, NULL, 0);
  }
 }
 COSMOPOLITAN_C_END_
 #endif /* !(__ASSEMBLER__ + __LINKER__ + 0) */
 #endif /* COSMOPOLITAN_THIRD_PARTY_MBEDTLS_INCLUDE_PSA_SHEESH_H_ */
--- a/third_party/mbedtls/library/aes.c
+++ b/third_party/mbedtls/library/aes.c
@ -1,3 +1,4 @@
 /* clang-format off */
 /*
 *  FIPS-197 compliant AES implementation
 *
@ -23,28 +24,27 @@
 *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
 */
-#include "common.h"
+#include "libc/nexgen32e/x86feature.h"
 #include "third_party/mbedtls/library/common.h"
 #if defined(MBEDTLS_AES_C)
 #include <string.h>
-#include "mbedtls/aes.h"
+#include "third_party/mbedtls/include/mbedtls/aes.h"
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "third_party/mbedtls/include/mbedtls/error.h"
 #if defined(MBEDTLS_PADLOCK_C)
-#include "mbedtls/padlock.h"
+#include "third_party/mbedtls/include/mbedtls/padlock.h"
 #endif
 #if defined(MBEDTLS_AESNI_C)
-#include "mbedtls/aesni.h"
+#include "third_party/mbedtls/include/mbedtls/aesni.h"
 #endif
 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
 #include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
@ -584,7 +584,7 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
    ctx->rk = RK = ctx->buf;
 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
-    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+    if( X86_HAVE( AES ) )
        return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
 #endif
@ -694,7 +694,7 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
    ctx->nr = cty.nr;
 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
-    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+    if( X86_HAVE( AES ) )
    {
        mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
                           (const unsigned char *) cty.rk, ctx->nr );
@ -1018,7 +1018,7 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
                      mode == MBEDTLS_AES_DECRYPT );
 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
-    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+    if( X86_HAVE( AES ) )
        return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
 #endif
--- a/third_party/mbedtls/library/aesni.c
+++ b/third_party/mbedtls/library/aesni.c
@ -1,3 +1,5 @@
 /* clang-format off */
 /*
 *  AES-NI support functions
 *
@ -22,7 +24,8 @@
 * [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
 */
-#include "common.h"
+#include "libc/str/str.h"
 #include "third_party/mbedtls/library/common.h"
 #if defined(MBEDTLS_AESNI_C)
@ -32,9 +35,8 @@
 #endif
 #endif
-#include "mbedtls/aesni.h"
+#include "third_party/mbedtls/include/mbedtls/aesni.h"
 #include <string.h>
 #ifndef asm
 #define asm __asm
@ -42,27 +44,6 @@
 #if defined(MBEDTLS_HAVE_X86_64)
 /*
 * AES-NI support detection routine
 */
 int mbedtls_aesni_has_support( unsigned int what )
 {
    static int done = 0;
    static unsigned int c = 0;
    if( ! done )
    {
        asm( "movl  $1, %%eax   \n\t"
             "cpuid             \n\t"
             : "=c" (c)
             :
             : "eax", "ebx", "edx" );
        done = 1;
    }
    return( ( c & what ) != 0 );
 }
 /*
 * Binutils needs to be at least 2.19 to support AES-NI instructions.
 * Unfortunately, a lot of users have a lower version now (2014-04).
--- a/third_party/mbedtls/library/arc4.c
+++ b/third_party/mbedtls/library/arc4.c
@ -1,3 +1,5 @@
 /* clang-format off */
 /*
 *  An implementation of the ARCFOUR algorithm
 *
@ -22,20 +24,18 @@
 *  http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
 */
-#include "common.h"
+#include "libc/str/str.h"
 #include "third_party/mbedtls/library/common.h"
 #if defined(MBEDTLS_ARC4_C)
-#include "mbedtls/arc4.h"
+#include "third_party/mbedtls/include/mbedtls/arc4.h"
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #include <string.h>
 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
 #include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
--- a/third_party/mbedtls/library/aria.c
+++ b/third_party/mbedtls/library/aria.c
@ -1,3 +1,5 @@
 /* clang-format off */
 /*
 *  ARIA implementation
 *
@ -23,26 +25,24 @@
 * [2] https://tools.ietf.org/html/rfc5794
 */
-#include "common.h"
+#include "third_party/mbedtls/library/common.h"
 #if defined(MBEDTLS_ARIA_C)
-#include "mbedtls/aria.h"
+#include "third_party/mbedtls/include/mbedtls/aria.h"
 #include <string.h>
 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
+#include "third_party/mbedtls/include/mbedtls/platform.h"
 #else
 #include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
 #if !defined(MBEDTLS_ARIA_ALT)
-#include "mbedtls/platform_util.h"
+#include "third_party/mbedtls/include/mbedtls/platform_util.h"
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
    !defined(inline) && !defined(__cplusplus)
--- a/Show more
+++ b/Show more